Wednesday, July 18, 2007

Security and Compliance 1

Security and Compliance (Part I)

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals
 security has led organizations to excessively spend on compliance at the detriment of security. 
There are five principles in balancing compliance with security.
• Base your security program on a security framework
• Leverage compliance budgets for information security controls
• Automate policy compliance and auditing
• Be prepared to manage change in threats and regulations
• Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security 
program in different ways. Many organizations follow the ISO 17799 approach. 
(International Organization for Standardization) and a few follow the COBIT standards. 
(Control Objectives for Information and Related Technology) which are both great starting points. 
But there is another approach called the Sherwood applied Business Security Architecture (SABSA).
The SABSA model uses different roles that work with the following perspective:
• Business owner – Contextual
• Architecture – Conceptual
• Designer – Logical
• Builder – Physical
• Tradesman – Component
• Facilities Manager - Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA

Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of: Part 1
• Code of practice for information security management
Part 2
• Specification for information management systems

Why Implement:
• Helps realize the security policy
• Builds a level of business confidence
• Easy and flexible architecture
• Common standard
• Position of strength
• Ability to leverage business benefits
• Develop best practice • Introduce benchmark standards
•Recognized international standards

The standard was developed from the following legislation:
• Data Protection Act 1984
• Data Protection Act 1988
• Data Protection Act 1998
• Computer Misuse Act 1990
• Copyright Designs and Patents Act 1988
• Human Rights Act 2000
• Regulatory Investigatory Powers Act 2000 (RIP Bill)

I wish You Great Success.

No comments: