Too Busy for Information Security? Try This On For Size

By | February 14, 2006

Hearing and understanding the importance of complying with all the new and forthcoming laws and appropriately securing sensitive electronic information is one thing. Finding the time (and the money) to make the rubber meet the road – well, that’s quite another.

With all the HIPAAs, Sarbanes-Oxleys, and the dozen-plus state breach notification laws (like Georgia’s new Senate Bill 230), for most organizations – large and small – information security is not an optional nice-to-have. It’s a requirement of doing business in today’s market – if not in response to government and industry regulations, then in response to business partner and customer requirements.

So, what’s a corporate executive, business owner, or non-security-savvy network administrator to do? Where do you start? Should you re-create the information security wheel and establish your own framework of security controls? Should you hire an outside expert to come in and do it for you?

If neither option melds with your schedule and your organization’s goals and you can afford to spend a hundred and fifty-something dollars, a solid information security jumpstart is just a Web site away. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) [] recently released a new and improved information security framework titled ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management. The 17799 framework documents practically everything you need to get started down the road to integrating information security and IT governance with your business.

From risk assessments to security policies to people issues, physical concerns, and business continuity, this security framework outlines the high-level controls needed along with relatively specific implementation guidance on getting the job done. An information security framework such as this cannot be everything to everybody and don’t expect tons of specifics, but it certainly lays the groundwork for doing security right from the ground up. I use this standard in my work and can’t imagine any new or existing business looking to reconcile with our current information security requirements not benefiting from this standard.

For those organizations looking to improve their competitive edge, ISO/IEC also has a new certification counterpart to 17799:2005 dubbed ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements. Becoming “certified” in these information security practices adds that extra value that can place most organizations ahead of their counterparts and/or competition.

I strongly believe that you shouldn’t have to recreate the wheel – especially when so many tried, true, and low-cost information security resources are at your disposal. If you’re feeling compelled to integrate IT governance with your business goals and need to jump on the security bandwagon but you’re too busy to start from ground zero, consider the ISO/IEC 17799:2005 framework. It likely has just what you need to get those wheels a rollin’.

Copyright (c) 2006 Principle Logic, LLC – All Rights Reserved

Leave a Reply