ISO 17799: standard for security: organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles and responsibilities, documenting operational procedures, preparing for incident and business continuity management, and complying with legal requirements and audit controls.

• Author: Myler, Ellie

[ILLUSTRATION OMITTED]

Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, "It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion each year and the cost is rising."

Today's information professionals need to address an ever-increasing number of internal and external threats to their systems' stability and security, while maintaining access to critical information systems. As the e-commerce space continues to grow and new tools allow organizations to conduct more business online, they must have controls in place to curtail cyber crimes' malicious mayhem, tampering, and wrongdoing.

Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology--Security Techniques--Code of Practice for Information Security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the gaps and bring together information security, intellectual property rights, protection and classification of organizational records, and audit controls.

ISO 17799 Components, Applications, Implications

ISO 17799 provides a framework to establish risk assessment methods; policies, controls, and countermeasures; and program documentation. The standard is an excellent model for organizations that need to:

* Create information security policies and procedures

* Assign roles and responsibilities

* Provide consistent asset management

* Establish human and physical security mechanisms

* Document communications and operational procedures

* Determine access control and associated systems

* Prepare for incident and business continuity management

* Comply with legal requirements and audit controls

Information security can be defined as a program that allows an organization to protect a continuously interconnected environment from emerging weaknesses, vulnerabilities, attacks, threats, and incidents. The program must address tangibles and intangibles. Information assets are captured in multiple and diverse formats, and policies, processes, and procedures must be created accordingly.

Organizations can use this standard not only to set up an information security program but also to establish distinct guidelines for certification, compliance, and audit purposes. The standard provides various terms and definitions that can be adopted as well as the rationale, the importance, and the reasons for establishing programs to protect an organization's information assets and resources. Figure 1 depicts the suggested steps and tasks associated with establishing and implementing an information security program.

[FIGURE 1 OMITTED]

This ISO framework is methodically organized into 11 security control clauses. Each clause contains 39 main security categories, each with a control objective and one or more controls to achieve that objective. The control descriptions have the definitions, implementation guidance, and other information to enable an organization to set up its program objectives according to the standard methodology.

Step 1: Conduct Risk Assessments

This component of the standard applies to activities that should be completed before security policies and procedures are formulated.

Risk is defined as anything that causes exposure to possible loss or injury. Risk analysis is defined as a process of identifying the risks to an organization and often involves an evaluation of the probabilities of a particular event or an assessment of potential hazards. Loss potentials should be understood to determine an organization's vulnerability to such loss potentials.

Risk categories are both internal and external and can include:

* Natural: Significant weather events such as hurricanes, flooding, and blizzards

* Human: Fire, chemical spills, vandalism, power outages, and virus/hackers

* Political: Terrorist attacks, bomb threats, strikes, and riots

Conduct risk assessments to understand, analyze, evaluate, and determine what risks organizations feel are likely to occur in their environment. Risk assessment activities involve information technology (IT) and information processing facilities, facilities management and building security, human resources (HR), records management (RM) and vital records protection, and compliance and risk management groups. These groups must collectively determine what the risks are, the level of acceptance or non-acceptance of that risk, and the controls selected to counteract or minimize these risks.

Risk analysis is conducted to isolate specific and typical events that would likely affect an organization; considering its geography and the nature of its business activities will help to identify risks. Loss potential from any of these events can result in prohibited access, disrupted power supplies, fires from gas or electricity interruptions, water damage, mildew or mold to paper collections, smoke damage, chemical damage, and total loss (with the destruction of the entire building).

Regularly monitor emerging threats and evaluate their impacts, as this is a constant, moving target. For example, according to an IMlogic article, "IM [instant messaging] worms are the most prevalent form of IM malware, representing 90 percent of all unique attacks in 2005. These attacks frequently utilized social engineering techniques to lure end users into clicking on suspicious links embedded inside IM messages, enabling the activation of malicious code that compromised the security of host operating systems or applications."

Although threats are increasingly sophisticated in the virtual sphere, the simple occurrence of employees stealing company information on paper is still very real and prevalent in today's work space.

Step 2: Establish o Security Policy

These components of the standard provide the content that should be included as well as implementation guidance to set the foundation and authorization of the program.

To set its precedence, an information security policy should be developed, authorized by management, published, and communicated. It should apply to all information assets and must demonstrate management's commitment to the program. Explain implications on work processes and associated responsibilities and outline them in employee job descriptions.

The security policy should be administered, documented, and periodically evaluated and updated to reflect organizational goals...