Compliance
It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals security has led organizations to excessively spend on compliance at the detriment of security.
There are five principles in balancing compliance with security
o Base your security program on a security framework
o Leverage compliance budgets for information security controls
o Automate policy compliance and auditing
o Be prepared to manage change in threats and regulations
o Create an effective awareness and training program
Different organizations, information security professionals and consulting companies approach security program in different ways. Many organizations follow the ISO 17799 approach (International Organization for Standardization) and a few follow the COBIT standards (Control Objectives for Information and Related Technology) which are both great starting points. But there is another approach called the Sherwood applied Business Security Architecture (SABSA). Rescheck web
The SABSA model uses different roles that work with the following perspective:
o Business owner – Contextual
o Architecture – Conceptual
o Designer – Logical
o Builder – Physical
o Tradesman – Component
o Facilities Manager – Operational
SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA.
6.1 Complying with BS7799/ISO 17799
Developing and implementing considerations from Business and Technical Perspective consists of:
Part 1
o Code of practice for information security management
Part 2
o Specification for information management systems
Why Implement:
o Helps realise the security policy
o Builds a level of business confidence
o Easy and flexible architecture
o Common standard
o Position of strength
o Ability to leverage business benefits
o Develop best practice
o Introduce bench mark standards
o Recognised international standards
The standard was developed from the following legislation:
o Data Protection Act 1984
o Data Protection Act 1988
o Data Protection Act 1998
o Computer Misuse Act 1990
o Copyright Designs and Patents Act 1988
o Human Rights Act 2000
o Regulatory Investigatory Powers Act 2000 (RIP Bill)
BS7799 Contents of Part 1
o Scope
o Terms and definitions
o Security policy
o Security organisation
o Asset classification and control
o Personnel security
o Physical and environmental security
o Communications and operations management
o Access control
o Systems development and maintenance
o Business continuity management
o Compliance