NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO BlackBerry News and Tips
 CIO Research and Analysis
 CIO Microsoft
 CIO Insider
 
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

 


Tue, Apr 17, 2007 2:41 EDT

I've had it with people who copy ISO 17799 and call it their "security policy."

Topic: IT Organization Management

Current Rating: 5 Comments: 3

Okay, enough is enough. While pedestrian IT staff might think it is "good enough" to buy some of the "policy on a CD" kits that are floating around, real CIOs and CISOs need to start stepping up to the plate and start creating real-world, accountable, and measurable IT security and assurance policies.

Over the course of the last couple years while researching material for our book called "Say What You Do," about writing policies and procedures, my co-authors and I came across more organizations than we thought that were (and some still are) using a copy-and-pasted version of ISO 17799 as their "security policy."

That doesn't work.

First, let's get the terms straight -- in this world of compliance we are creating assurance policies, not security policies. We are not only assuring confidentiality and integrity, but availability and accountability as well.

Second, I love ISO 17799, don't get me wrong. But it has major league holes in it. Holes big enough to drive a truck through when picking apart a company's confidentiality plan, or availability plan. For instance, it never mentions cooling - try to run a data center for more than half an hour without it.

Third, it doesn't provide direct links from regulatory controls through filtering those controls based upon defined system scoping needs, to applying only the appropriate policies, standards, and procedures.

And fourth, the direct tie into metrics and reporting just isn't there, and isn't written into any of the "policies on a CD" product being transmogrified into company "security" policies.

Its time we put away the "toy" security policies and create real-world assurance frameworks. Complete with regulatory control lists, systems scoping definitions, and metrics-based policies, standards, and procedures.

For those already on that path, I applaud and will support you.

For those who think I'm just on a soapbox, well you just don't know how close to slipping on that banana you really are.

Dorian J. Cougias

You do not have flash or javascript support.
Average (4 votes)
5
 
 
Fri, Apr 20, 2007 18:37 EDT
Posted by: BsSorrell
Rating:

The cut and paste Security Policies don't past the sniff test either. If an organization does not put the time and consideration atleast amending ISO 17799 to fit their circumstances rest assurred they have likely not put any effort in to implementing the "policy" either.

Brian Sorrell, CISA, MSCE, CCA

 
Thu, May 3, 2007 13:47 EDT
Anonymous user
Posted by: Anonymous
Rating:

Excellent article, I am currently trying to do research on what organizations are actuall using. See the link:
http://www.keysurvey.com/survey/143775/132d/

 
Fri, May 4, 2007 1:29 EDT
Anonymous user
Posted by: Anonymous
Rating:

Dorian,

You are correct.

Many overlook the key transformations that need to be done to specifically tailor the standard/s to suit each organization.

This can only be done through using skilled personnel from either within the business (or external as long they have relevant experience) to develop policies and procedures that demonstrate in written form how you are attempting to comply with the standard. The standard sets the outline framework and objectives. ie; take a very fictitious hypothetical example - "ensure a continuous secure network connection to allow online secure access from all points around USA, UK and SEAsia."

How you achieve that (fictituous requirement – assuming one would write that into a standard!) will vary very wildly across every site and reader that tries to interpret that requirement in the standard IN CONJUNCTION with their specific business requirements, budgets, goals and objectives. No CDROM template can answer that question for you!

Tailoring the documentation set can mean expanding on what the standard "outlines" as well as removing or downgrading portions form the standard that are not relevant to the business at hand.

There are no off the shelf, (lets call them loosely) "set of procedures" that can fit all businesses, they need to be heavily modified in almost, if not 100% of the cases.

There are lots of good templates around as to the "shape (style) of the documents" you can use but as for the “content required specific for your business needs”, they will be very "light-on" and the true content needed can only come via skilled personnel from either within the business, or external as long they have relevant experience.

Another aspect that is forgotten is the ongoing training and development including coaching that has to take place when the standard and its associated policies and procedure subsets are deployed.

This is very different to how many see the process as "lets write a bookshelf volume form some CDROM templates and then we comply".

By bookshelf volume I mean a nicely bound manual / CDROM / website that looks all glossy and righteous, but is as ineffective as a catalog book when it comes to being an operational procedure and assurance manual.

All the staff who work under (really means comply with) this standard, through the actual policies and procedures, actually have to "be doing what you say you are doing" as well “as being seen to be doing” when it comes to being assessed as to having an effective standard and policy and procedure set. Not just the person who wrote up the manual! Your aim is to demonstrate compliance with (= doing), and the assurance statement will come from, an internal/external assessor. You can also fail this assurance test, don’t forget.

We wrote about some of these issues around "policy and procedure writing" some years ago at that time focusing on CoBit, COSO, SOX etc but the words written then also apply to writing policies and procedures to comply with an ISO standard - see http://www.pcprofile.com/Governance.pdf

Post new comment

* Subject:
* Username:
* E-mail:
The content of this field is kept private and will not be shown publicly.
Homepage:
* Body:
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <strike> <p> <br>
  • Lines and paragraphs break automatically.
More information about formatting options

* Denotes required field.

Hot Conversations

Take My Windows 7 Please: A Resale Tale

Posted by Shane ONeill in News | 6 comments

Creating a Privacy Policy Part V

Posted by Ariel Silverstone in Best Practices | 1 comments

Start a Conversation
Click to post

Got something to say? We want to hear it! Click the Post button to get started. GO»

EXPERT ADVICE
See our roster of experts.

Advice & Opinion from more than 113 of IT's most insightful thinkers.

  PARTNERS       WEBCASTS    
 

Windows 7 Webcast Series

There's a lot of buzz about Windows 7 out there. Each month in our webcast series, listen to analysts and customers discuss how Windows 7 and the Windows Optimized Desktop is impacting large companies around the world. Learn how they evaluated Windows 7, including the cost of deployment, deployment strategies, and tangible benefits.

Sponsored by Microsoft  Listen to on-demand Recordings »

 

Service Level Management Best Practices Life Cycle Overview - Improve Service Levels

Best practices for Service Level Management (SLM) is a process for consistently meeting customer requirements and delivering on IT's promises. See the steps required to ensure high-quality SLM.

Sponsored by Compuware  Read this White Paper »

 

Keeping Your Members Safe from Online Scams and Predators

In order to keep fraudsters out, romance sites must deploy effective solutions that look at information independent of what is supplied by users. A device fingerprinting solution such as iovation ReputationManager™ provides unique insight into the computers being used to create multiple accounts and exposes hidden device-account relationships that identity-based fraud solutions often miss.

Sponsored by iovation  Read this White Paper »

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

Defend Against Blended Threats: What You Need to Know

Blended Web and email threats are becoming increasingly complex and represent a huge...  View Now »

 

Prescriptive Actions to Reduce Risk

In this Webcast, learn best practices for effective systems management in a heterogeneous environment and keep client systems cost under control.   View Now »

 

Webcast- Vantage 11: Redefining Application Performance Management

Compuware's latest release, Vantage 11, is a major advance in end-to-end application performance management--bringing together proactive issue identification, quantification of business impact and problem resolution into a single solution. Tune in to learn how Vantage 11's top-down approach helps you make better decisions and dramatically lower operations costs.  View Now »

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

 
NEWSLETTER

Sign-up for the Blogs & Discussion Newsletter

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

See how AT&T can help protect your network.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

Increase UPS efficiency without sacrificing protection.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

Interactive Q&A helps you discover key ways to maximize IT assets.

Ready to virtualize tier one applications? Check your virtualization maturity.

Think you can't afford a Cisco Switch? Cisco Catalyst Switches are now more affordable.

Five minute business analytics assessment. Immediate results.

The Case for Investing in Business Analytics Technology. Read white paper.

White Paper: Right-Sizing Your Power Infrastructure

Webcast: Unleashing the Power of Customer Data

White Paper: Managed Security for a Not-So-Secure World

SharePoint - Unchecked growth of content is unsustainable.

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

Five-Step Mobility Management Plan

White Paper: Next Generation Remote Infrastructure Management

Disciplined Autonomy: Resolving the Tension Between Flexibility and Control

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

World-class trading technology solutions from NYSE Technologies.

If You're Paying for Telecom, You're Paying Too Much. Contact Asentinel Today.

Trade-In your old printer and save up to $1,000 plus free recycling!

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Live Webinar: Applying Business Analytics. Click here to learn more

White Paper: 4 Customer Service Myths

Mobile Security: The Essential Ingredient for Today's Enterprise

White Paper: Improve Agility with Operational Responsiveness

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

Learn How Web Site Performance Impacts Shopper Behavior

IDC White Paper: CCM for IT Compliance and Risk Management

Tolly Group Lab Test Results: Cisco vs. ShoreTel