InfoSecurity Forum standard will help firms draft a comprehensive best-practice plan of action for security
One of the questions I get asked most is, "What is the biggest information security problem?"
The thing is, there is no one big security problem - just lots of small, medium and large ones, any of which pose a potential risk to the security of organisations.
It is this range of problems - phishing, spyware, viruses, compliance, spam, intrusion detection, instant messaging and mobile communications, to name just a handful - that presents the major challenge. It is a challenge that is not helped by the fragmented nature of the security industry, where there are hundreds of suppliers, all claiming to solve bits of the jigsaw.
To find a way through this minefield, security managers need to get better at showing how best-practice security delivers real value to the business in a way that can be understood by the board.
It is no good trying to sell security on fear alone. Financial directors respond best to quantified figures, risk charts and return on investment models. But it has never been easy to promote the business benefits of security.
There is certainly a job to do in implementing best practice management processes and increasing the awareness of security in the organisation. But the real trick for IT and security managers is to create a comprehensive formal security programme aligned with business strategy that identifies key information assets, measures and analyses the risk and drives security programmes and spending accordingly.
That is why the Information Security Forum has developed a standard of good practice to provide an international industry benchmark for organisations of any size. It is the only detailed and comprehensive global standard that allows organisations to manage the full range of threats and improve levels of information security and it is free of charge.
The standard is split into five key areas: security management, critical business applications, IT installations, networks and systems development. It provides a set of high-level principles and objectives for information security together with practical steps to implement good practice.
The 2005 standard pays particular attention to issues such as secure instant messaging, web server security and patch management, as well as important and changing areas including information risk management, outsourcing and the disappearance of the network boundary.
With organisations facing a daunting task to manage the breadth and depth of information risk, and to meet the growing demands of corporate governance initiatives such as Sarbanes-Oxley, the standard provides a framework to implement international best practice, comply with legal and regulatory requirements and reduce the likelihood of disruption from major incidents.
As Information Security Forum members will attest, in information security terms, size is not the problem. At the top of the agenda for the 400 security managers at the last Information Security Forum International Congress were the impact of legislation such as Sarbanes-Oxley, the need to measure and analyse information security risk and the rising demand for secure remote access and deperimeterisation.
Jason Creasey is head of projects at the Information Security Forum, and a keynote speaker at Infosecurity Europe 2005
This was first published in April 2005