Security from Obscurity: Building a Security Program, Understanding the Standards
In this third installment of the series, we are going to talk about a few different standards, and focus on the one you most likely should start with. In the last installment we touched on ISO 17799. This is probably the best place to start to build a security program. Other standards and frameworks such as SABSA and COBIT will most likely overwhelm you if you are just starting out, they will cause you to spin your wheels much longer, and while all standards are great bed time reading, they will probably lead you to staying up late nights pulling your hair out while your eyes bleed. In this series, we are talking about creating a security program where none existed, so let’s go with the easier choice. Having said that, please consider ISO 17799 a starting point to get you on your way and not the final solution. Nothing wrong with it, but you may need to comply with regulators that go beyond it, or you may just want to go further into defining the policy as ISO 17799 is more of a high level guide. In fact, both COBIT and SABSA compliment the work you will do with ISO 17799, they are not competing standards with ISO 17799. They are with each other. As you dive further into security and what it takes to gain regulatory compliance you will likely adopt one of these standards, or possibly another.
Let’s pause for a second and let me explain one thing. I say ISO 17799 because that’s what I have known it as for years and that is what you are most likely to find in searching. This standard comes from BS 7799. It was been revamped and is now known as ISO 27002. That being said, I will continue to refer to it as ISO 17799 for the reason mentioned above. Carrying on…
So what exactly is ISO 17799 going to give you? Good question. It provides guidelines for what an organization should have in it’s security program. It gives advice from a thousand foot view on major components that should be in the security program. The areas it covers, called clauses, include such topics as security policy; organizing information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development, and maintenance; information security incident management; business continuity management; and compliance.
I hope this helps get you started in security program and don’t hesitate to ask questions.
