Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

ISO 17799, NIST and More: Guiding Lites

Information security standards are quite a bit less than that—and that needs to change.

By

March 01, 2003CSO — Just a couple of years ago, when someone asked how comprehensive Vanguard's information security program was, the answer would have been predictably reassuring but vague: "We're fine; nothing's happened." And for an investment company that manages $560 billion in assets, that just wasn't good enough.

"The chairman wants to see progressionwhat's getting better, what worries us," says Jim Hyatt, who oversees information security and contingency services for The Vanguard Group. Vanguard's way of getting there? By following ISO 17799, a nontechnical document from the International Organization for Standardization that's the closest thing the information security world has to a golden rule-book of management.

Based on the British Standards Institute's BS 7799, from which it's almost indistinguishable, ISO 17799 should have a place on every insomniac's bedside table. This yawner of a document has close to 70 pages of flatly written advice for managers about how to approach, implement and monitor a security program. Widely used in the United Kingdom, it has been mostly snubbed in the United States as a flawed document that's the next worst thing to regulation. Yet, as a few U.S. companies are discovering, ISO 17799 can be an effective way to communicate to stakeholders that a company is working toward a set of security best practices recognized around the world.

At Vanguard, the process started as every fledgling CSO dreams it will. The top brass declared information security a top priority, yanked it out of the information technology department and gave the new group the go-ahead to start using ISO 17799. Information security, working closely with IT, the internal audit department and senior management of each business division, started tackling the document in late 2001. Each of the 30 categories, including software development, telecommunications structure, remote access and employee awareness, was assigned an owner, who worked with someone from both information security and internal audit to assess how comfortable the company was with that aspect of security. Then the three-person team began rating the category a red, yellow or green: green for areas at or near industry leadership, yellow for items that could be improved, and red for items that needed immediate attention.

The results were compiled onto one of Vanguard's "dashboards"one-page documents that managers across the company use every week to set their direction. Now, when a new computer virus hits, the category for virus, Web and e-mail controls are rated red until new filters are installed. Suddenly, information security works like the rest of the business.

RESOURCE CENTER