Human Firewall Council Sees Security Immaturity

A Human Firewall Council survey of the state of information security, as measured against ISO guidelines, shows plenty of room for improvement. Is the problem a lack of overarching vision, a dearth of adequate resources or a little of both?

As with many large companies, Northern Trust uses the ISO 17799 standard as a guideline for its information security efforts. Still, Locke notes that full compliance is not necessarily realistic for everyone. His own company earns a B-minusor about 80 percenton the survey, which he attributes not to oversights but to rational evaluation of where the ISO recommendations are, and are not, appropriate for their particular business requirements. ISO compliance is enormously time consuming, and Locke's company and his staff have plenty of other demands pulling on themnotably legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (better known as HIPAA), not to mention assorted laws for doing business in Singapore and other places around the globe. "We spend a lot of time with federal regulators and our own legal and compliance people, and it takes a lot of time for my staff to work through all this documentation," says Locke. (For more on the challenges of fully implementing ISO 17799, see "Guiding Lite," March 2003.)Grading on a CurveAnother possible reason for lower scores of some other survey respondents, says Locke (himself a former manufacturing company employee), is that other industries vary in their exposure to information security and may find certain categories in the index simply less critical than do financial or health-care organizations.

Finally, there is one more significant caveat to bear in mind with the survey results: The assignment of letter grades is quite subjective. For example, a company that checks "partially implemented" for a particular set of ISO best practices automatically receives a score (5 out of 10) that maps to a failing grade for that category. "In my opinion, partial implementation might be more deserving of a C," admits Rasmussen.

Nevertheless, the index makes its point. "You can look at the methodology and say it's skewed one way or another," says Rasmussen, "but I would say the results are fairly accurate based on what I find in the field."