Standard and Practice - Security Models

STANDARD AND PRACTICE - SECURITY MODELS

ü           ISO 17799/BS 7799

   One of the most widely referenced and often discussed security models is the Information Technology – Code of Practice for Information Security Management, which was originally published as British Standard BS 7799

   In 2000, this Code of Practice was adopted as an international standard framework for information security by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799.

ü           Drawbacks of ISO 17799/BS 7799

   Several countries have not adopted 17799 claiming there are fundamental problems:

– The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799

–   17799 lacks “the necessary measurement precision of a technical standard”

– There is no reason to believe that 17799 is more useful than any other approach currently available

–   17799 is not as complete as other frameworks available

– 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls

ü           Objectives of ISO 17799

   Organizational Security Policy is needed to provide management direction and support.

ü           Ten Sections of ISO/IEC 17799

ü     Organizational Security Policy

ü     Organizational Security Infrastructure

ü     Asset Classification and Control

ü     Personnel Security

ü     Physical and Environmental Security

ü     Communications and Operations Management

            System Access Control

            System Development and Maintenance

            Business Continuity Planning

            Compliance

   Alternate Security Models available other than ISO 17799/BS 7799