5.Take Your Measure

Aberdeen recommends that organizations take the following actions to improve security for information and access:

•Link business drivers and pressures with automating information access.

• Appropriate business-focused performance metrics to drive results faster than traditional IT-selected security performance metrics will.

• Map business performance metrics with those that can be monitored.

• Foster a corporate culture and business processes oriented around the end user.

• Consider implementing the practices of the profile organizations.

• Build a leadership council that includes business leaders.

Aberdeen says firms performing at best-in-class levels for governing security define their performance objectives and measurement metrics, continually measure themselves against these objectives, and update performance objectives to keep pace with changing business pressures.

6.Set Some Standards

Growing numbers of business and government agencies are recognising AS/NZS 7799 certification as the benchmark for security management practices. A survey by NetIQ of 200 security experts attending AusCERT in 2005 found that AS 7799 certification influenced the IT security strategy of more than 40 percent of respondents.

State and federal governments have also made moves to establish AS/NZS 7799 certification as the mandatory standard for departmental security frameworks.

"IT management has been escalated to the board and chief executive level because of security issues," says Glen Noble, general manager Data and Hosting Solutions, Macquarie Telecom. "Corporate governance requirements and the increasing business reliance on the Internet mean the consequences are greater should there be a security breach.

"The directive from this level down is to identify ways to mitigate risk. Certifications such as AS/NZS 7799 are one way of doing this. They provide independent verification that a supplier has the appropriate policies, processes and controls in place to protect information assets."

Aberdeen agrees best-in-class firms place a strong emphasis on standards and policies to ensure everyone in the organization understands what is expected, and the role everyone plays in improving security performance.

"The organization should not go it alone from the yardstick you are using to measure your organization," Wise says. "There are a number of international standards that organizations will use for security management in order to design the way that the organization will actually construct and define their security approach. Standards like ISO/IEC 177199, is one that you will hear of a lot in information security, and that gives a good approach in a high-level sense for organizations as far as mapping out risk management activities and then control applications, and that's when you get into technology and firewalls. Also policies and procedures and those sorts of things."

The revised ISO/IEC 17799, Information technology - Security techniques - Code of practice for information security management, integrates the latest developments in the field to maintain it as the international standard code of practice.

Ted Humphreys, convenor of the ISO/IEC working group that developed ISO/IEC 17799:2005, says the revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice. "For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced indicant handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources and several other new features."

ISO/IEC 17799:2005 is a code of practice for information security management, rather than a certification standard and was neither designed nor is it suitable for this purpose. Its replacement, the specification standard ISO/IEC 27001, Information security management system (ISMS) requirements, can be used for certification. The ISO/IEC working group says this new version addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining and managing information security in any organization producing and using information in any form.