Hi, I was lucky, the organisation I work for has government links and our regulatory authority moved their polices over to be 7799 compliant meaning our management had to listen to what we'd been saying for ages. I don't know what the government requirements are in Slovenia but a number of countries require organisations to follow certain legal guidelines (such as the Data Protection act and Computer Misuse Act in the UK, The European Data Protection Directive for member states, the Gramm, Leach Bliley Act, Patriot Act and Health Insurance Portability and Accountancy Act in the US). Businesses need policies to ensure that these laws are adhered to, in some companies breaching of some of these these types of legal article can lead to legal action against company Directors. I've found that personal legal liability can make people listen. Security can bring profit. If you have 5000 employees with Internet access and no usage polices you may find that productivity goes down as the users may spend more time surfing for holidays (or porn) than you expected. Stick some policies in place and enforce them with technical solutions and you could increase productivity and reduce legal liability (for encouraging a hostile workplace by allowing your equipment to be used for downloading porn, or even worse, for allowing you systems to be sued to publish porn).
The reason for complying with (1)7799 or the Information Security Forum's Standard of Good Practice is that they contain an independent framework for Information Security. The reasons for actually getting certified against BS7799 are less clear. There are currently only 145 companies world wide that hold these certificates but I estimate that thousands of businesses have used (1)7799 as a framework for their security policies, standards, procedures and organisation. The Internet Security Alliance (http://www.isalliance.org) has a free guide for Senior Managers, described as follows: "The ISAlliance's Common Sense Guide for Senior Managers: Top Ten Recommended Information Security Practices identifies 10 of the highest priority and most frequently recommended security practices as a place to start for today's operational systems. These practices address dimensions of information security such as policy, process, people and technology, all of which are necessary for deployment of a successful security process. The practices are targeted toward the corporate executive suite in industry and present a top-down management perspective that an organization can use to assess its information security posture." Symantec's Enterprise Security Centre (http://enterprisesecurity.symantec.com/) has a series of Security Expert Feature articles including "Information Security - Why Bother?", "Plan to Save - The Importance of Proper Security Planning" and "A Definitive Guide to Information Security Polices, Standards and Procedures". Their "Building a Security Framework" Series includes "The Emerging Global Standard: ISO 17799" and "Taking Information Security Seriously" and "Building Information Security Policy". Symantec also has a free report on Internet security threats that shows the trend in Internet based attacks. The Human Firewall Council has a "free tool for benchmarking security management best practices". You are asked questions covering sections of ISO17799 and you are given a score of how good you organisation is. For more information go to http://www.humanfirewall.org. The Information Security Forum has a Standard of Good Practice that provides a set of high-level objectives for information security together with the associated statements of good practice. It can be used to improve the level of security in an organisation. The Forum have made the Standard free to use and can be found at www.isfsecuritystandard.com. The SANS Institute has a Security Policy Project at http://www.sans.org/newlook/resources/policies/ that includes sample policies to use. Amongst other things SearchSecurity (http://searchsecurity.techtarget.com/) includes sections on security management include best practices, policies and organisation issues. Security Awareness Incorporated (http://www.securityawareness.com) includes an archive of high profiles that highlights what can happen if policies aren't followed (or written in the first place). There are many other resources on the Internet including http://www.information-security-policies-and-standards.com and www.iso17799-made-easy.com/policies.htm that have information that might help. Hope This Helps, Ian. ----- Original Message ----- From: "Matej Pfajfar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 17, 2002 8:03 AM Subject: Security from a management perspective > Hi, > > I was wondering if people had any experience/thoughts on presenting > ITSEC to high management. I.e. Why is security good for the company, why > should there be a good security policy and why spend money on something > that doesn't directly bring profit? Why comply with BS and ISO itsec > standards? Or even "why hire security professionals", spend money on > certification etc.? > > Any thoughts, pointers to existing material on the subject (academic > papers etc.)? > > Mat > > -- > Matej Pfajfar >
