Information Security Standard not 'just another standard' but an InevitabilityThe ISO 17799 information security standard provides tools to establish and manage an organization's information security system
Information is the most critical yet least protected of an organization's assets. Because information is intangible, in part 'virtual,' and always far from the eye (organized in files or folders), decision makers don't consider its protection a top priority. On the other hand, damage to information isn't perceived immediately but its effect is destructive and sometimes fatal.
Information can be compared to an organism's nervous system. Disruption or sabotage of an information system causes disruptions or even paralysis to an entire organization. Just as in medicine, there are two principal types of attacks:
The first is an attack of viruses or worms that damages the system. As in a plague, the damage from these kinds of assaults can be major, but it is temporary. It is possible to vaccinate the system against these kinds of attacks, and when necessary affect a recovery within a reasonable amount of time.
The second type of attack is similar to internal diseases that can become chronic or turn cancerous. Their existence is not always recognized, and by the time they are discovered and their damage exposed, they might cause an organization's collapse.
International accounting firm Price Waterhouse Coopers (PWC) reported that 38 percent of organizations around the world have suffered from computer fraud. The U.S. Federal Bureau of Investigation added in response that this is just the tip of the iceberg and that indeed this number does not include organizations that are unaware of the disease harbored in their information systems. What is clear is that all organizations are exposed in one way or another to an attack. The American Computer Security Institute (CSI) reported that known damages from computer crime in the United States alone in 2002 had reached $10 billion.
The information systems of many organizations are damaged each year, and according to PWC, the FBI and CSI, most are unaware of it. All the organizations that were hit have protective systems in place that were circumvented or simply breached. In most cases, it was concluded that the protective systems did not meet the extent of the possible threat or were not updated to meet new threats. Moreover, 80 percent of the damages were perpetrated from within the organization.
In all organizations that underwent a preliminary check by the Standards Institution of Israel, it was determined that existing means of protecting information provide only partial defense in certain defined areas, but not to all threats to which the organization is exposed. Technology is still the key to prevention of unauthorized penetration to a network, though installing sophisticated protective products remains an insufficient solution. In most cases, what is missing is an overall view, one that includes both the organization's information security philosophy and comprehensive means of action - prevention, response and recovery - that match the organization's needs.
How should an organization protect itself? An appropriate response must provide an answer to all aspects of existing dangers, must recognize them, and must take into account all resulting security requirements. An appropriate response must define a method that will ensure that information security systems are up-to-date at all times, in accord with principles that relate to all aspects of security, including confirmation of their currency in a professional and independent manner.
All these principles are embodied in British Standard BS 7799, a standard adopted by the International Organization for Standardization as ISO Standard 17799. The standard defines simple, methodical and practical principles for the establishment, maintenance and continuing updating of an information security system. In addition, the standard details verification methods that meet the system's requirements.
To date, the Standards Institution of Israel has certified twelve organizations as meeting the standard's requirements. Twenty-five organizations have registered for certification, and dozens more (if not hundreds) have purchased the standard and are upgrading their information security systems with the goal of meeting its requirements. In this group all government offices are included.
Findings on applying the standard are fascinating:
All these organizations identified gaps between the security requirements they identified in a review of dangers and their existing protective measures, as well as between the existing ways they were managing their security needs and the logical principles whose adoption the standard obligates.
Establishing an information security system that meets the standard's requirements creates a repudiation of existing approaches and an adoption of more suitable approaches. In addition, aside from reducing the chances of an attack, adoption of the standard produces savings. These savings result from prevention of failures and immobilizations whose source is in security events, from faster availability of information, and from increased chances of quick recovery if damage does occur.
All organizations certified to date in Israel report on their satisfaction from the organized, methodical process obligated by the standard, and from the closing of gaps that resulted in increased information security in the organization.
For further information:
Shuky Preis
Center for Information Security
Quality & Certification Division
The Standards Institution of Israel
42 Chaim Levanon Street
IL-69977 Tel Aviv
Tel: 972 3 646 5310
Fax: 972 3 6465205
Cell: 972 5 246 4574
Shuky_p@sii.org.il
www.sii.org.il