Security has become THE hot topic. You'll probably see more
discussion and emphasis on security in 2002 than you have in the last
ten years. Why? Because the world is moving toward complete electronic
communication where everything from the conversations on your mobile
phone to your medical records to your credit card statements are now
only digital bits floating around cyberspace.
Many organizations are rushing to assemble a security policy that
defines, prescribes and enforces the security measures they deem
appropriate and necessary for their industry. However, without a solid
guideline, a custom security policy can often act more like a screen
door with a rip, instead of a sealed submarine hatch.
There are several means by which an organization can create a
security policy which contains fewer holes than otherwise. These
include starting off with another organization's policy and customizing
it as needed and hiring a security consultant to create a policy from
scratch. Both of these options have benefits and drawbacks, most of
which are obvious.
If your organization is determined to create an internal document
with as little external help as possible, then there are other
alternatives for you: the ISO17799 Standard or the Common Criteria.
Both of these documents will provide you with a wealth of information
related to security policies and the security features of computers and
software products.
The ISO17799 Standard is a set of security standards that were
originally defined by the British Standards Institution as BS 7799. The
original standards were adopted and approved by the ISO, IEC and JTC1
(International Electrotechnical Commission, International Organization
for Standardization and Joint Technical Committee). In 1998 these
standards were re-formulated to allow for evaluation of compliance with
the standards. The ISO17799 defines a framework for security policy.
You can learn more about ISO17799 from www.iso17799-web.com. However, to see the contents of the standard, you'll have to purchase them.
Another alternative, especially for those within the United States,
is the Common Criteria. The Common Criteria (also known as
International Standard 15408) was created by a joint effort between
security organizations from the U.S., Canada, France, Germany, the
Netherlands and the U.K. The Common Criteria replace the previous
standard of C2 or orange book certification. Unlike the ISO17799
Standard, the Common Criteria defines the features of computer systems
and products which offer support and control security. For more
information on the Common Criteria, visit http://csrc.nist.gov/cc/ or http://www.commoncriteria.org/. You can download a free copy of the Common Criteria from either site.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
DISCLAIMER:
Our Tips Exchange is a forum for you to share technical advice and
expertise with your peers and to learn from other enterprise IT
professionals. TechTarget provides the infrastructure to facilitate
this sharing of information. However, we cannot guarantee the accuracy
or validity of the material submitted. You agree that your use of the
Ask The Expert services and your reliance on any questions, answers,
information or other materials received through this Web site is at
your own risk.