- Lawrence M. Walsh
When David Stacy became the global IT security manager at St. Jude Medical, he faced the daunting task of drafting and implementing the company's first InfoSec policy. To get his arms around what needed to be done, he turned to ISO 17799.
"We decided that we needed a policy, or a set of policies, and then we needed standards," says Stacy. "Our interpretation of [ISO 17799] is the policy expresses management's intent. It's very high level that's intended to have a long life for practices. It's kind of like motherhood and apple pie; you don't expect them to change over time."
David StacySt. Jude Medical's global IT security manager
A $1.4 billion medical equipment manufacturer with operations around the globe, St. Jude is highly dependent on its computer resources. From the outset, Stacy knew ISO 17799 wouldn't provide him everything he needed to build a security policy for such a large organization. However, it proved a valuable tool for crafting a policy that set the security expectations for his company's 3,500 computer users.
"In approaching that task, I asked: How are we going to do this? How are we going to get started?" Stacy says. "[ISO 17799] gave me some direction in the scope of what I need to cover in the IT security policies and standards, and the different topics that needed to be included."
Using a risk assessment report, Stacy wrote a general security outline around eight of ISO 17799's 10 sections. In three weeks, he had a draft that addressed St. Jude's basic security policies and procedures.
Among the areas Stacy and his team adopted were requirements for a written security policy; IT asset management; access control; provisioning for services providers, security management and maintenance; disaster recovery and business continuity planning; and compliance review procedures. Stacy says he discarded the physical and personnel security sections, mostly because they had little practical value to his environment.
"We did not address every single thing in 17799; we addressed 90 percent of it," he says. "There were some things that didn't apply to our organization."
From there, Stacy and St. Jude's IT and security admins spent the next five months reviewing and revising the document to fit their specific security needs. Last December, Stacy and his team presented company executives with a document that outlined the security policies and expectations for the company's worldwide operations.
St. Jude is now in the process of pushing out its ISO 17799-based security standard to managers across the company. Given the enormity of the task--and because compliance is left to the local security managers--Stacy doesn't expect St. Jude to achieve full compliance for two to three years.
"We needed to have policies and procedures in place, and we need a standard to protect against these risks for the benefit of our customers and shareholders," Stacy says. "We didn't do this to have a certificate on the wall."
About the author:
Lawrence M. Walsh is the managing editor of Information Security.