ISO 17799 for SOX Requires Security, Mindset Changes

By David Haskin

(Back to article)

Although Martha Stewart's insider trading trial may be the scandal de-jour, combined the Wall Street scandals of the past few years have led to a new challenge for technology executives: complying with complex standards that insure data security and integrity.

The Enron mess, for example, resulted in passage of the Sarbanes-Oxley (SOX) Act of 2002. Which, in turn, has left many publicly-traded companies searching for ways to become compliant with a whole new set of reporting and data integrity standards.

Some are relying on COBIT (Control Objectives for Information and related Technology), while others are looking to compliance applications from financials vendors such as Oracle. But there is another way to attain compliance using ISO 17799, a standard for managing data security comprised of a series of security best practices approved in 2000.

While SOX focuses on financial reporting and disclosure, and the data integrity behind those efforts, it doesn't require compliance with 17799. But, this route can provide the dual benefits of helping ensure the credibility publicly-held companies crave as well as compliance.

"If you are compliant with 17799, you'll meet the expectations of SOX," said Michael Higgins, managing director of the Technology Risk Management practice for Tekmark Global Solutions who also teaches computer security and business continuity operations at The George Washington University. That's why CIOs at large publicly-held companies often lead the charge for 17799 compliance."I wouldn't hazard a guess on percentages, but there's a high level of interest at the CIO level in 17799," agreed Troy Smith, senior vice president of Marsh USA, the consulting arm of insurance broker Marsh, Inc.

However, as is the case with virtually all large-scale projects, complying with SOX using 17799 can be difficult and expensive.

For large companies Higgins estimates the cost of implementing 17799 would likely run in the low six figures and that would be for companies with a strong security infrastructure to begin with. Much of that cost will be related to documentation, but some expense will come from, as Higgins put it, "interpolating the standard."

"The IT world has moved on since the standard was developed," he said. "So, for example, you may need to interpolate where the security perimeter actually ends. Is it the home network of a road warrior?"

In broad terms, the 17799 standard covers areas such as:

  • Physical security, such as physical placement of equipment and locks on doors;
  • Personnel security, such as background checks of sensitive employees;
  • Access controls;
  • The enterprise's security organization, including who manages security and how the commitment to security is structured;
  • Security policies and documentation of management direction; and
  • Business continuity provisions.
  • Like most such efforts, where you are at security-wise will determine how far you have to go but ultimately, to be successful, buy-in from all employees is required. This means creating a culture of security, not just implementing security products, said Earl Crane, a senior consultant with Foundstone, a security products and services provider.

    "Firewalls do nothing if somebody's setting up a rogue (wireless) access point," Crane said. "You need to create a mindset of security to correct those problems and that's a management issue."