|
|
|
Community Publishing
|
|
Too Busy for Information Security? Try This On For Size.
By Kevin Beaver, CISSP on Wednesday, February 01, 2006
Hearing and understanding the importance of complying with all the new and forthcoming laws and appropriately securing sensitive electronic information is one thing. Finding the time (and the money) to make the rubber meet the road – well, that’s quite another. With all the HIPAAs, Sarbanes-Oxleys, and the dozen-plus state breach notification laws (like Georgia’s new Senate Bill 230), for most organizations – large and small – information security is not an optional nice-to-have. It’s a requirement of doing business in today’s market – if not in response to government and industry regulations, then in response to business partner and customer requirements.
So, what’s a corporate executive, business owner, or non-security-savvy network administrator to do? Where do you start? Should you re-create the information security wheel and establish your own framework of security controls? Should you hire an outside expert to come in and do it for you?
If neither option melds with your schedule and your organization’s goals and you can afford to spend a hundred and fifty-something dollars, a solid information security jumpstart is just a Web site away. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) [www.iso.org] recently released a new and improved information security framework titled ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management. The 17799 framework documents practically everything you need to get started down the road to integrating information security and IT governance with your business.
From risk assessments to security policies to people issues, physical concerns, and business continuity, this security framework outlines the high-level controls needed along with relatively specific implementation guidance on getting the job done. An information security framework such as this cannot be everything to everybody and don’t expect tons of specifics, but it certainly lays the groundwork for doing security right from the ground up. I use this standard in my work and can’t imagine any new or existing business looking to reconcile with our current information security requirements not benefiting from this standard.
For those organizations looking to improve their competitive edge, ISO/IEC also has a new certification counterpart to 17799:2005 dubbed ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements. Becoming “certified” in these information security practices adds that extra value that can place most organizations ahead of their counterparts and/or competition.
I strongly believe that you shouldn’t have to recreate the wheel – especially when so many tried, true, and low-cost information security resources are at your disposal. If you’re feeling compelled to integrate IT governance with your business goals and need to jump on the security bandwagon but you’re too busy to start from ground zero, consider the ISO/IEC 17799:2005 framework. It likely has just what you need to get those wheels a rollin’.
Kevin Beaver, CISSP
Principle Logic, LLC
kbeaver@principlelogic.com
|
Page: 1 of 1
Previous Page | Next Page
| Comments |
Currently, there are no comments. Be the first to post one!
You must be logged in to post a comment. You can login here
|
|
|
|
|
|
|
Introduction
|
|
|
Sir Winston Churchill once said, "If you have knowledge, let others light their candles with it."
TechLINKS Community Publishers share their knowledge with the Georgia technology industry in order to help illuminate the many top-of-mind issues important to your business. Their community participation demonstrates the significant expertise and generosity contained within the Georgia technology industry.
Knowledge has no value when it is stored - it only has value when it is shared and applied. We know that businesses, educational institutions and government agencies sit upon rich veins of untapped information.
Community Publishing's mission is to tap into and release that knowledge to Georgia's technology community.
We encourage you to read the following articles on our website. To create and submit your own article and join this growing, distinguished group, click on "Create Article." |
|
|