• United States



by Michael Rasmussen

IT Trends 2003: Information Security Standards, Regulations and Legislation

Dec 18, 20025 mins
CSO and CISOData and Information Security

Question: What are the key trends in information security standards, regulations and legislation for 2003?

Information security is a business problem, not a technology one. With the focus on information security in the media, and in legislatures around the world, organizations are facing complex requirements to comply with security and privacy standards and regulations. This is forcing the discussion of information security into boardrooms, as more executives and boards of directors understand their responsibility and accountability in information security governance.


  • Increased focus on information security: The awareness of the challenges and issues we face in information security has grown. Through the media, government, cyber-attacks/crimes, and proliferation of vulnerabilities in products, information security continues to receive increased focus.
  • Failures in technology to protect information: As a result of successful attacks such as Code Red and Nimda, organizations have realized that security products are not the complete answer to security. Information security is a business problem of which technology is just a small piece.
  • Proliferation of standards, regulations and legislation: Organizations face complex requirements to comply with a myriad of standards/regulations. Even within a specific vertical such as financial services, the complexity to meet security requirements is brought on through an onslaught of different regulations (e.g., the US Gramm-Leach-Biley Act of 1999 (GLBA), Basel Accords, Securities and Exchange Commission (SEC) requirements, USA Patriot Act). No longer is it about meeting one compliance obligation, but a complex web of requirements that grows exponentially as organizations cross international boundaries.
  • Threat of legal liability: 2002 has been the year of legal liability from security. Organizations and software vendors are being held to a higher degree of accountability for security, if not in the courtroom, by their customers.
  • Business partners and stakeholders demanding security: Organizations are challenged to prove they are managing security to a level that will satisfy their business partners and stakeholders. This goes beyond discussing what security products are installed, to communicating compliance and management practices of information security. In fact, the National Strategy to Secure Cyberspace released by the White House recommends that organizations disclose their security audit and compliance status.


  • More regulatory and legislative oversight: Organizations can expect to see increased regulation, specifically in industry verticals that are considered critical infrastructure (for example, finance, transportation, communication, health care, energy, utilities). Furthermore, 2003 will bring us further regulatory requirements as governments seek legislative means to boost information security.
  • Executive and board oversight of information security: 2003 will bring information security from awareness into action in many corporate environments, building on what we have seen in 2002. Boards of directors and executive management will pay closer attention to their governance responsibilities as related to the protection of information assets. Giga expects the strongest focus for executive/board oversight to come from regulated industries particularly finance (for example, GLBA, Basel Accords), health care (such as the US Health Insurance Portability and Accountability Act of 1996, HIPAA) and government (such as the Federal Information Security Management Act, FISMA). In 2004, this trend will continue as other industries such as energy/oil and gas, transportation, communication and utilities get further guidance defined for them in 2003.
  • Increased focus on certification and accreditation with continuous assessment: As organizations face regulatory compliance obligations, or have adopted standards and best practices to manage their information protection programs, we will see a focus on the certification and accreditation of system security before production implementation. This will be followed by the development of a continuous assessment process to manage risk and compliance on an ongoing basis.
  • Development of GAISP/GASSP: With organizations facing challenges to manage and validate compliance to a myriad of standards and regulations, organizations will need to boil requirements down into a common taxonomy. Organizations need to understand the common elements in all of the standards/regulations they have to comply with and show compliance to the common elements, which then can be mapped back to individual standard/regulation. This will drive a renewed growth for the Generally Accepted System Security Principles (GASSP), now looking at being renamed the Generally Accepted Information Security Principles (GAISP). GASSP/GAISP is now focused on building out these common detailed elements and mapping them over to security standards and regulations.
  • ISO17799 set as defining framework: ISO17799 has become the de facto standard for defining (at a high level) an information security program/architecture. While it has received a lot of criticism from many governments, its interest and adoption has built up significant momentum. It is currently undergoing revisions that are appeasing its staunchest critics and enhancing the standard. 2003 will show us continued growth in the adoption of ISO17799 with more organizations adopting it along with industry groups/associations promoting it.
  • Common Criteria product certification more widely pursued and recognized: With the mandate that security products and security-enabled products be Common Criteria certified in order to be purchased by US Department of Defense Agencies, significant momentum is being built in the recognition and adoption of Common Criteria certification. With the possibility of extending this requirement to all of the US federal government being discussed, 2003 will be a strong year for the growth and recognition of the Common Criteria.
  • CISSP certification set as management standard for information security professionals: With the focus on managing information security, and the chief security officer (CSO)/chief information security officer (CISO) role being adopted in many organizations (now mandated in US federal agencies through FISMA), the CISSP professional certification will continue its lead as the premier information security management certification for information security officers and managers.