Could ISO 17799 be a Solution to the IT Compliance Gap?

Regency Technologies attended the C3 Compliance Expo in New York City from June 27-29. While the conference highlighted many areas of compliance, one of the biggest challenges facing companies today is how to implement policies and procedures for managing their IT assets and information.

A large part of the problem is that IT has only recently been considered an actual line of business. In the past, an IT department existed solely to support the rest of a business. Today, IT has assumed center stage. Unfortunately, in many organizations, the procedures that were used to develop a successful core business are not being applied to IT.

The exposure is huge and is growing. Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA) are just a few pieces of legislation that are triggering widespread concern within companies as to how compliance should be achieved. The stakes are high, budgets are tight, and there is no “how to” book that has been published...yet.

One development discussed at the conference that might give companies a chance to level the playing field is the International Organization for Standardization’s ISO 17799. This set of standards provides a method to achieve procedural controls over the IT line of business. ISO standards have been used in manufacturing and distribution businesses for years. Today, as financial services firms are challenged to document policies and procedures for handling IT, ISO might be a solution worth considering.

The ISO 17799 Standard is a code of practice for information security management. It provides a broad overview of information security from several different angles. It also provides a comprehensive set of best practices for information security.

Some of the goals that the standard accomplishes are the definition of an information security management system. Another goal is the identification of critical assets which can be achieved via a business risk assessment. Most importantly, it helps define responsibility and organizational structures of information security in the company.

Some of the clauses covered by the standard are:
• Security Policy
• Asset Management
• Physical and Environmental Security
• Access Control
• Information Security Incident Management

An ISO 17799 evaluation can help highlight critical areas in a company’s IT infrastructure. It can reveal significant gaps and suggest areas for improvement.

For more information on ISO 17799 visit www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

All of us at Regency Technologies hope that this information helps you better manage the rapidly changing environment within our industry. We will continue to keep you informed and provide suggestions and solutions.

Contact us to learn about the many ways we can help you manage your IT assets.