Leveraging ISO 17799 to Achieve Security Management Best Practices

By Evan Tegethoff

“Information security is a journey, not a destination.” “You can never be totally secure.” “Effective security is an ongoing process.” These are just a few of the tired clichés of the security industry. Like most clichés, there are elements of truth in each. However, they don’t offer much help. For someone who really wants to improve IT security within their organization, these statements can lead to a feeling of being defeated before the game even begins.

Sisyphus, a character from Greek mythology, is forced for eternity to roll a stone up a steep hill & only to have it roll back down as soon as it reaches the top. IT and security professionals can feel like this man, with no hope of securing their organization’s enterprise in the face of growing challenges.

Today’s information security climate goes beyond the traditional fears of compromise by wily hackers and viruses running amok. Government regulations such as Sarbanes-Oxley, HIPAA, and California SB1386 have become major drivers for organizations to revisit their risk management approaches. Additionally, partner-driven requirements such as Visa’s CISP and MasterCard’s SDP are putting additional pressure on organizations to have a strong set of controls around critical data. Building a solid security foundation takes on an increased importance in light of these facts.

But a question still remains as to how to build this foundation. There are many standards and frameworks available that touch on the topic of security. The most widely-accepted source of good practices for security management is ISO/IEC 17799:2000, Code of Practice for Information Security Management (f/k/a ISO 17799). ISO 17799 can be used, in conjunction with a solid risk assessment approach, to help build a strong, standards-based information security program. The ISO standard can be applied as a general framework to bring attention to the fact that the security program must be balanced, both in spending and in effort, to provide results.

Turning the Program Right-side Up

The advice given in ISO 17799 is high-level in nature. This is both its chief weakness and its chief strength. It has been rightly criticized by some as being too shallow and not offering enough directive content in terms of what should actually be done. However, the strength of being general and technology-neutral is that it turns the mentality about security upside-down-or, you might say, “right-side up.”

In too many organizations, the information security department has evolved as a primarily technical discipline. Because many security problems had technical roots (i.e. viruses, system compromise), solutions often came in the form of technology. This led to an overall weakness in the area of strategic planning and in other foundational elements such as security policies and procedures.

By aligning with the ISO 17799 standard, the way an organization thinks about security can be radically changed. Because ISO 17799 focuses on foundational policy elements and good practices, it may expose holes in the information security program that cannot be filled by any technology.

A security program must encompass not only technology, but people and processes. In fact, it is only once the program has been developed in terms of people and processes that it can be determined what technologies are appropriate to serve the security goals of an organization. It is critical that the requirements of an organization drive security technology, not the other way around. ISO 17799 can offer a lot of good input into creating a security program that is built “right-side up.”

Basing the Program on a Standard

Common sense tells us that a security program needs to have solid buy-in from the highest levels of an organization, be based on a strong foundation of policy, and be inclusive of such technical domains as networking, applications, and infrastructure. The ISO standard represents these and other principles in the form of ten domains:

All ten of these domains are essential. A holistic security program must encompass all ten. They are as interconnected as the pieces of a puzzle.

If even one piece is left out, insufficiently developed, or incompletely integrated, the program as a whole falls apart. In other words, the principle that you are only as strong as your weakest link is just as applicable to the security program as it is to any security technology such as firewalls or access control.

The benefit of building and documenting the program around a standard is that it ensures a strategy based upon widely-accepted principles and practices. It also ensures that adequate attention is paid to all realms of security, not just the technical areas. This approach leads to a stronger overall level of preparedness.

Supplementing Regulations

A major problem organizations face in complying with regulations is the fact that, in an attempt to be technology-neutral, the regulations have been made extremely vague. It is very difficult to determine what really needs to be done from reading a regulation. ISO 17799 can help to provide some meat. For all of its faults and weaknesses, the ISO standard is still the most widely-accepted framework for managing information security. As such, it has been used as the philosophical underpinning of many regulations pertaining to information security and privacy. ISO 17799 and its source document BS 7799 were calling for controls around privacy of personal information long before pieces of legislation such as HIPAA and California SB 1386 made them law.

The goal of supplementing a regulation with something like ISO 17799 is to create a baseline for an organization that is more inclusive of industry-accepted good practices for security. Regulations like HIPAA may have their own myopic focus, but generally they are matched closely enough to broader standards like ISO 17799 to be considered a sub-set. Focusing on the sub-set may take care of the immediate need to comply, but may not give an organization all the pieces needed to make up a strong information security program.

Many compliance requirements across different industries call for increased vigilance in information security management practices. These include:

• GLBA
• HIPAA
• Sarbanes-Oxley
• Visa CISP
• MasterCard SDP

The focus of each of these regulations is a little bit different, but there are common themes:

• The need to perform risk assessment
• The need for security accountability at a high level of the organization
• The need for creation and effective communication of security policies and standards

Often the requirement is stated at a very high level. For example, in the final HIPAA security rule, the requirement for risk assessment is stated as:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity.”

This is a major requirement that may require a considerable change in information security practices at the covered entity. Coupling the requirements of the regulation with guidance from ISO 17799 can create a practical basis for improvement of information security in an organization.

Creating an Opportunity for Improvement

Instead of looking at regulations in a vacuum, compliance requirements can be turned into an opportunity to look holistically at security strategies and to evaluate them in the light of standards.

As an example, many health care organizations are involved in efforts to comply with the HIPAA Security Rule, which dictates the need to protect sensitive patient data. It is relatively easy to map elements of HIPAA into the ISO domains because of the broad nature of the categories. The value of ISO 17799 is then to incorporate the other elements of that domain into a baseline to assess the organization. This baseline will then be inclusive of all elements required by HIPAA, but will also include the super-set of items called for by the ISO Standard. This approach can effectively keep the organization ahead of the curve.

The next step is to take advantage of these requirements to create a common baseline of activities that support the protection of information. Information protection requirements are drawn initially from regulations and the ISO standard and can then be tailored to a specific organization’s needs-drawn from business initiatives, audit requirements, and other important internal drivers.

ISO 17799 and Risk Assessment

There are many ways of performing risk assessment, but for an approach to be useful, it must be simple and repeatable. The trick with risk assessment is to “throw a rope” around all the potential risks (threats and vulnerabilities) to an organization. The ISO standard can be used in this way to categorize potential risks to an organization. For instance, risk factors can be organized and then prioritized by ISO domain. Again, the utility of this approach is the assurance that no major areas are being overlooked.

A good example of this approach is embodied in the BITS Kalculator. The BITS Kalculator represents operational risks and allows them to be sorted by the ISO 17799 domains. The ISO domains effectively become the scope for risk assessment and allow for an approach that can be easily repeated through self-assessment. Additionally, this approach allows an organization to map the likelihood and impact to create a quantifiable representation of risk across the template created by the ISO domains.

Organizations and industries will have unique threats and vulnerabilities. However, there are common approaches to addressing risk. This is why it is so critical to map the specific risks of the organization into a common blueprint, such as the ISO standard, in order to come up with the baseline for your organization. ISO 17799 should not be considered the definitive source for risk assessment; it is simply a starting point. The true value of using the ISO standard can only be achieved by adapting it to the organization.

The Evolving Security Program

If the current proliferation of regulations has taught us anything, it is that information protection requirements are going to continually increase. Only a few years ago, who would have thought that our government and other corporate partners would be requiring security such as protection of personal information and controls around the reporting of financial information? The security program itself must be created with the knowledge that it will be constantly evolving.

ISO 17799 will not remain static either. The next major revision of ISO 17799 is expected to be available in 2005. No major changes in content or theme are expected. Rather, the changes will incorporate a number of suggestions raised at the time ISO/IEC 17799:2000 was published and expand certain subject areas.

Ultimately, the objective for an organization is to create an information security strategy that is maintainable. As the ISO standard evolves and the nature of the business evolves, changes made to the overall strategy and supporting policies should be incremental in nature, not wholesale.

Changes to the information security program cannot be avoided, they can only be managed. This is because information security is a journey, not a destination, you can never be totally secure, and effective security is an ongoing process.