Lawrence M. Walsh
There was hardly a consensus when the International Organization for Standardization (ISO) adopted ISO 17799, the "Code of Practices for Information Technology Management," in August 2000. A carbon copy of the first half of the much-maligned BS 7799, the document drew sharp criticism from major IT nations, which charged it didn't meet the criteria of an international standard.
"There wasn't even an opportunity to compare it to all the other work, even done within ISO that has been done on security" says Gene Troy, a U.S. representative to the ISO technical committee.
Even as the ISO undertakes a major review of the standard, ISO 17799 -- and its British Standards Institute's (BSI) cousin -- are rapidly becoming the canon for information security management. According to Giga Information Group, increasing regulatory and marketplace pressures are prompting many organizations to adopt standards to validate their security programs and demonstrate an ongoing commitment to security.
"Right now, a lot of organizations don't have an information protection program. If they do, it's not really defined. So ISO 17799 can help them define it," says Michael Rasmussen, a senior industry analyst at Giga.
ISO 17799's chief attribute is its flexibility. Written in an open framework, the standard's compilation of "best practices" can be applied by any organization regardless of size or industry. It's also technology neutral, never pigeonholing an adopter into specific security solutions.
The standard's flexibility, however, is also its Achilles' heel. Critics say ISO 17799 is too vague and too loosely structured to have any real value. In some cases, they charge, the standard could inadvertently give an organization a false sense of security.
While designed with a global perspective in mind, the standard isn't for everyone. Choosing and implementing it requires a great deal of homework before leaping headlong into compliance.
What Is ISO 17799?
Drafted by BSI in 1995 under the moniker BS 7799, the standard was originally intended as a baseline security matrix for the budding e-commerce industry. Part I of the British version defined best practices for security management, while part II outlined the certification process. In 1999, BSI revised the standard to make it more general and adaptable by almost any organization. In August 2000, BSI presented part I to the ISO for consideration as an international security standard. (BSI didn't submit part II for consideration and wouldn't elaborate on its reasons.)
Several nations--including the United States, Canada, France and Germany--objected to the adoption of ISO 17799. They said it would have been fine as a set of recommendations, but not as a standard. Nevertheless, it was placed on a fast track and quickly adopted.
"There are several different approaches to IT security out there.... It was our feeling that in order to have a truly acceptable international standard, all of this had to be taken into consideration rather than taking it on a fast track from one source," says Troy. "The main security standard was presented as a fait accompli, and there was no significant opportunity for import from other work that had been done in the area."
Michael Hoganstandards liaison for NIST's information technology laboratory
BSI says 7799 was never intended to be a technical standard. Unlike other security standards--such as the Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria--ISO 17799 provides a broad, nontechnical framework for protecting information in any form.
"It has to be that way because it has to cross all industries and environments," says BSI spokesperson Steve Tyler. "It's about information security management. It's not like a catalog for an IT shopping trip."
Nevertheless, ISO is revising 17799 to make it a more palatable. The first draft in this review process is currently being circulated for comment. While the reviewing committee expects several changes, it has no timeline for completing the process. Moreover, ISO has no plans to incorporate part II of the BSI model or any other certification process.
"At some point, we have to have a good first standard and keep building on it and building on it as we learn more," says Michael Hogan, standards liaison for the National Institute of Standards and Technologies' (NIST) information technology laboratory. "We're on the road to having a new draft of the standard, and that one will probably be a much more robust and complete document."
Mile Wide, Inch Deep
Although it's technically a standard, ISO 17799 reads like a set of recommendations. It outlines security measures organizations should have, but doesn't specify how to implement them. It simply sets the expectation and processes for protecting information from internal and external breaches, misuse and abuse.
The 10 areas covered by the standard are:
- Security policy: Adopting a security process that outlines an organization's expectations for security, which can then demonstrate management's support and commitment to security.
- Security organization: Having a management structure for security, including appointing security coordinators, delegating security management responsibilities and establishing a security incident response process.
- Asset classification and control: Conducting a detailed assessment and inventory of an organization's information infrastructure and information assets to determine an appropriate level of security.
- Personnel security: Making security a key component of the human resources and business operations. This includes writing security expectations in job responsibilities (IT admins and end users), screening new personnel for criminal histories, using confidentiality agreements when dealing with sensitive information and having a reporting process for security incidents.
- Physical and environmental security: Establishing a policy that protects the IT infrastructure, physical plant and employees. This includes controlling building access, having backup power supplies, performing routine equipment maintenance and securing off-site equipment.
- Communications and operations management: Preventing security incidents by implementing preventive measures, such as using antivirus protection, maintaining and monitoring logs, securing remote connections and having incident response procedures.
- Access control: Protecting against internal abuses and external intrusions by controlling access to network and application resources through such measures as password management, authentication and event logging.
- Systems development and maintenance: Ensuring that security is an integral part of any network deployment or expansion, and that existing systems are properly maintained.
- Business continuity management: Planning for disasters--natural and man-made--and recovering from them.
- Compliance: Complying with any applicable regulatory and legal requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and cryptography export controls.
Not Exactly Tailor-made
ISO 17799 is designed for any-sized organization, which means it contains more than any organization will ever use. For the most part, the standard is used as a checklist for developing security policies. Organizations take only what sections they need to develop a sound framework. Only in a few cases is the entire standard applicable.
"Sociologically, it's much like Y2K, where management says where you are, where you're going and what needs to be done," says Lawrence Dietz, director of market intelligence at Symantec (www.symantec.com). "In the big wide world of sports, you have to combine information security with physical security with personnel security. When you clamp down on information security, it's a combination of policies, procedures and technology. ISO 17799 provides a checklist for doing that."
A checklist is exactly what David Stacy, global IT security manager for St. Jude Medical, sought when he set out to draft a security policy for the billion-dollar medical equipment manufacturer. Although he had ample experience in writing security policies and procedures, he found ISO 17799 useful for staying focused.
"In approaching that task, I asked: How are we going to do this? How are we going to get started?" Stacy says. "[ISO 17799] gave me some direction in the scope of what I need to cover in the IT security policies and standards, and the different topics that needed to be included."
As an independent source, ISO 17799 is often used to help sell the need for security to otherwise uninitiated executives. "Sometimes when you ask questions about security, [they] might think that you're being extreme," says Dick Mackey, a principal at security consultancy SystemExperts (www.systemexperts.com). "But when it shows up in a specification, it automatically gives it credibility."
In the Neutral Zone
ISO 17799 requires organizations to protect their information assets, but doesn't specify how. By staying technology neutral, the standard has the ability to grow with the rapidly changing technology landscape. Nevertheless, the standard rarely attempts to provide guidance in evaluating or understanding existing security measures. In the minds of adopters, this is a big drawback.
For instance, the standard recommends the use of adequate access control protections and defines many of the different technologies for access control-tokens, certificates and smart cards. However, it doesn't discuss the pros and cons of these technologies in different operational contexts.
Likewise, it recognizes the need for firewalls, but doesn't offer an explanation on the different types of firewalls--packet filters, proxy servers and stateful inspection--and how each is used. Also absent is common sense advice, such as only enabling necessary services.
"The ISO contains a good shell of information, yet lacks depth in new technologies (VPN, remote access, wireless) and recently focused-upon needs such as business continuity/disaster recovery," says C. Tate Baumrucker, a senior consultant with network consultancy Callisma. Such criticisms roll off the backs of ISO 17799 supporters.
"The principle is we have to keep people out of your system effectively," says BSI's Tyler. "Today we may call it a firewall, but next year it might be something else. The forward march of technology isn't the issue here; it's the management."
Not for Everyone
Who shouldn't adopt ISO 17799? Anyone who's looking for the standard to solve all their security woes quickly and inexpensively, for one.
ISO 17799 is open-ended in assessing the value of information resources. It requires adopters to inventory systems and assign value to all digital resources, but doesn't say how that should be done. Conducting self-assessments leaves a lot of room for interpretation and mistakes, which is why BSI and other standard auditors recommend having a professional risk assessment conducted before starting an ISO 17799 compliance effort.
"It needs to be in conjunction or partnered with outside professional services," says Darwin L. Martinez, VP of technology services for National Business Group. "In a large organization, it can be a large engagement, an expensive engagement that only leads to having another long engagement, and the likelihood of getting that kind of support in this economy is slim."
And that leads to cost. A copy of 17799 is available through the ISO Web site (www.iso.org) for 164 Swiss francs (roughly $95, depending on the exchange rate). But that $95 investment is only a fraction of the cost of security assessments, penetration testing, auditors and consultants, which can run into the hundreds of thousands--if not millions--of dollars. This is why organizations with a solid working knowledge of their security threats have a better shot at using the standard.
Even after implementation, ISO 17799 is short on methodologies for measuring the standard's effectiveness when put into practice. Each section contains language on the need for periodic policy reviews and regular compliance checks, but the standard is silent on the mechanisms for these checks. Without such matrices, critics say the standard has no way of proving its value to management.
"Although the guide gave us much help and ideas, it was lacking in the area we really needed it for," says Pete Herzog, director of the security portal Ideahamster, who reviewed and rejected ISO 17799 as a tool for developing a security policy. "It was lacking in the testing of security controls, measures and procedures from the outside to the inside."
The Future of ISO 17799
Security standards are commonplace, but there's little uniformity in determining which set of best practices must be and should be applied to the wide variety of IT environments. For this reason, establishing a universally recognized standard of security policies and practices is tremendously appealing.
But establishing all-encompassing best practices at this time may not be practical. ISO 17799's broad-brush approach may make it universally adaptable, but the standard can hardly stand by itself. Even as ISO works to amend the document, the standard will continue to rely on more specific security standards to buttresses its framework.
Still, ISO 17799 and its cousin, BS 7799, are rapidly becoming the de facto security standard in Europe and the Pacific Rim. Large multinationals--such as Citibank, KPMG, Sony Electronics and Unisys--have certified their security programs through BSI to demonstrate to potential business partners their security proficiency. Several Asian governments--including Taiwan, Singapore and Hong Kong--are requiring companies to receive BS 7799 certification to do electronic transactions with the government. And, insurance companies such as AIG are using ISO 17799 to measure the security of cyberinsurance policyholders.
Market conditions and private-sector initiatives are typically what drive the adoption of an industry standard. However, the growing concerns about cyberterrorism, information warfare and the erosion of personal privacy have governments around the world crafting legislation to improve information security. While ISO 17799 isn't the ideal standard for solving cyberspace's security ills, some say it could very well be the foundation for a universal security standard.
"What's driving interest [in the standard]? Part of it is because there is a lack of consistency in the security biz," says Symantec's Dietz. "Governments don't want to reinvent the wheel, and industry wants measurements, so anything that does that is quite a bit helpful."
About the author:
Lawrence M. Walsh is the managing editor of Information Security.