InfoSecurity Forum standard will help firms draft a
comprehensive best-practice plan of action for
security
One of the questions I get asked most is, "What is the biggest
information security problem?"
The thing is, there is no one big security problem - just lots
of small, medium and large ones, any of which pose a potential risk
to the security of organisations.
It is this range of problems - phishing, spyware, viruses,
compliance, spam, intrusion detection, instant messaging and mobile
communications, to name just a handful - that presents the major
challenge. It is a challenge that is not helped by the fragmented
nature of the security industry, where there are hundreds of
suppliers, all claiming to solve bits of the jigsaw.
To find a way through this minefield, security managers need to
get better at showing how best-practice security delivers real
value to the business in a way that can be understood by the
board.
It is no good trying to sell security on fear alone. Financial
directors respond best to quantified figures, risk charts and
return on investment models. But it has never been easy to promote
the business benefits of security.
There is certainly a job to do in implementing best practice
management processes and increasing the awareness of security in
the organisation. But the real trick for IT and security managers
is to create a comprehensive formal security programme aligned with
business strategy that identifies key information assets, measures
and analyses the risk and drives security programmes and spending
accordingly.
That is why the Information Security Forum has developed a
standard of good practice to provide an international industry
benchmark for organisations of any size. It is the only detailed
and comprehensive global standard that allows organisations to
manage the full range of threats and improve levels of information
security and it is free of charge.
The standard is split into five key areas: security management,
critical business applications, IT installations, networks and
systems development. It provides a set of high-level principles and
objectives for information security together with practical steps
to implement good practice.
The 2005 standard pays particular attention to issues such as
secure instant messaging, web server security and patch management,
as well as important and changing areas including information risk
management, outsourcing and the disappearance of the network
boundary.
With organisations facing a daunting task to manage the breadth
and depth of information risk, and to meet the growing demands of
corporate governance initiatives such as Sarbanes-Oxley, the
standard provides a framework to implement international best
practice, comply with legal and regulatory requirements and reduce
the likelihood of disruption from major incidents.
As Information Security Forum members will attest, in
information security terms, size is not the problem. At the top of
the agenda for the 400 security managers at the last Information
Security Forum International Congress were the impact of
legislation such as Sarbanes-Oxley, the need to measure and analyse
information security risk and the rising demand for secure remote
access and deperimeterisation.
Jason Creasey is head of projects at the Information
Security Forum, and a keynote speaker at Infosecurity Europe
2005
www.securityforum.org