Critical Comparasion of Isf and Cobit
Essay by review • February 17, 2011 • Research Paper • 2,578 Words (11 Pages) • 1,305 Views
PROBLEM STATEMENT
This document serves the purpose of critically comparing the ISF Standards of Good Practise and the ISO 17799. This paper will include, amongst other issues areas of correspondence, areas of difference, usability and readability
INTRODUCTION
With constant reports in the media of hacked sites, denial of service attacks, computer espionage and newly discovered vulnerabilities in applications and hardware, it is impossible for the management of any organization to ignore the likelihood of a security incident occurring. Over the last few years concerns to protect the organization’s assets and minimize liability has grown substantially, of recent it has become management’s personal responsibility to implement effective information security controls.
The majority of organizations will typically have some security controls in place, often a mix of technology (e.g. firewalls and anti-virus software) and documented policies (e.g. Password Policy, Email and Internet Usage Policy). The real challenge is developing these into an integrated Information Security Management System that will support the organization’s key business processes and strategic objectives as well as protect the electronic assets of the company and mitigate any risks that will result in an unfavorable situation for the company.
Why use a standard one may ask but there are few organizations nowadays who do not have links from their internal systems to the Internet, and who cannot identify outsiders, such as competitors or criminals, who may wish to exploit the information on their systems to their advantage. Thus without a standard approach to an area as diverse and as vital as information security it is unlikely that the organization will consider all aspects of security and not be at risk from a security incident that may seriously damage their business. That is where use of standards is crucial, they will provide guidelines on dealing with the diverse aspect of information security and consider all aspects of information security.
Adoption of these standards is currently seen as the best way for an organization to address information security in a systematic and comprehensive way by using industry best practice standards as a baseline. It is worth noting the use of the standards as a baseline, simply because the standards are merely guidelines and will not protect you from all security risks, but will reduce the probability of known risks from occurring.
There are two leading international best practices for Information security governance, The ISF standard of good practice and ISO 17799. This paper will outline what these standards are and through explanation of these standards, show with clear visibility some of the similarities, discrepancies and shortfalls and advantages of following these international Guidelines, and also will determine its ability to be complimentary to other best practices such as Cobit, or Itil.
ISO 17799
ISO 17799 is a �Code of Practice for Information Security Management’, which is an International Standard providing best practice guidance on security controls that should be considered for implementation within an organization. This is the �Code of Practice’ for information security management, which details the recommended security measures and practices that support the controls in ISO 27001.
As it is a �Code of Practice’, organizations cannot be certified against ISO
17799. Certification is only possible against ISO 27001, with ISO 17799 used as the basis for the selection of the most suitable security measures for each control. ISO 17799 is not a detailed specification of requirements and makes this clear in the preface, stating, �The guidance and recommendations provided throughout this Standard should not be quoted as if they were specifications.’ Often more detailed technical standards and guidance are necessary to support the implementation.
ISO 17799 aims to be as comprehensive as possible in identifying the range of controls needed for most situations where information systems are used. These measures include practices, procedures or mechanisms which may protect against threats, reduce vulnerabilities, limit the impact of an incident or protect against risks in an alternative method.
The structure of ISO 17799 involves the standard containing 11 security control clauses and 39 security categories and a introductory clause introducing risk assessment and treatment. Each of these clauses contains a number of main security categories as indicated by the numbers in brackets. There are 39 categories on total. Each of these main categories contain a control objective stating what is to achieved and one or more controls that can be applied to achieve this control objective.
The Format of the ISO 17799 has a very structured approach towards a control, in that it will define a specific control statement to satisfy the control objective, and then provide implementation guidance which gives detailed information to support the implementation of control and also provides any other information that may need to be considered such as legal considerations. The 11 clauses and main categories include (Numbering Referenced to ISO 17799):
Security Policy (1): Shows management commitment to security through the issue and maintenance of an organizational Security Policy.
5.1.1 Information Security Policy Document
5.1.2 Review of the information security policy
Organizational Security (2): Assigning security responsibilities and setting up an infrastructure for management of information security within the organization.
6.1 Internal Organization
6.2 External Parties
Asset Management (2): Establishing and implementing a system for management of assets, use of assets and the classification and handling of information.
7.1 Responsibility for Assets
7.2 Information Classification
Human Resources Security (3): Reducing the risks linked to personnel by effective screening of staff, suitable confidentiality and employee contracts, providing on-going security awareness training and the management user account
...
...