Government regulations are forcing enterprises to develop repeatable, auditable security programs. Many security and risk managers are leaning on accepted standards to build umbrella security programs that encompass numerous best practices, demonstrate security, show repeatable processes for compliance and continual improvement, and better organize security efforts and budgets.
My organization, the Bank of Montreal (BMO), is the first Canadian company to receive security certification under BS 7799, the British standard for security and the basis of ISO 17799.
The ISO standard doesn't have a certification component, but, as we discovered, BS 7799 Part 2 provides a good framework for organizing security activities and maintaining regulatory compliance.
Here are some of the lessons we learned during our certification process:
- Take the training. The BS 7799 certification bodies offer courses on attaining and maintaining certification—they're well worth the time. You will learn the difference between ISO 17799's Code of Practice and the requirements for registration under BS 7799:2-2002.
- Appoint an enthusiastic leader. Every project, especially those that involve heavy paperwork, needs a champion. Select a person who's passionate about security, communicates well and is unafraid to swim in a sea of documentation.
- Define your scope. BS 7799 registration is limited to a specified geographic and organizational scope. Unless you have a relatively small IT shop, chances are you won't be able to include your entire enterprise. We limited our scope to Canadian business activities related to the provisioning of trusted and managed information security services for our internal and external customers.
- Conduct a gap analysis. Self-assessments will help determine the gaps between your security controls and processes, and the standard's requirements. Information and self-assessment kits are available, but an experienced consultant is priceless. BMO's gap analysis showed that we lacked detailed documentation, which made it difficult to show repeatable processes.
- Communicate. Auditors want to verify that you have management support for security. Management must communicate security goals and review them on a regular basis. Not all employees need to be familiar with BS 7799, but everyone must be clear about his role.
- Document everything. Tradition and experience conspire against documented processes; people just know what they have to do. While documenting and communicating processes is evidence of "talking the talk," auditors want to see a formal planning and improvement process in place—proof that your organization is "walking the walk."
- Don't chase perfection. Design a corrective action list early in the process, keep it up to date and follow up on it. The goal is to show that you learn from past experiences, not that you are perfect.
What BMO gained from this process is a robust, well-documented security program with repeatable processes that can be demonstrated to internal and external parties. Whether you're adopting a generally accepted standard, seeking certification under BS 7799 Part 2 or developing your own internal security controls, you'll likely go through some or all of these lessons on your way to achieving your goal.