Skip to navigation
   
Davey Winder's Blog
RSS

YASS (Yet Another Security Standard)

By Davey Winder in Editorial

Posted in Security on October 16, 2007 at 10:54 am

Permalink | Author Profile

News has just reached me that the Information Security Forum (ISF) has just launched the 2007 version of its international Standard of Good Practise for Information Security to help companies implement good practise in information security and mitigate information risks.

As someone who earns at least part of his living writing about security best practise, I am all in favour of anything that can help companies get it right in the face of increasingly complex legislative and corporate governance requirements. I am also all too well aware that it can be something of a deep pockets minefield with organisations charging an arm, leg and three quarters of your bottom just to get your hands on their ’standard’ documentation. Which is why I was pleased to see that the ISF has made its Standard of Good Practise documentation freely available for download.

Kim Aarenstrup, Chairman of the ISF and Group Head of Information Security at the A.P. Moller - Maersk Group explains that “our aim is to raise awareness of information security and improve policies, standards and procedures; and to help organisations undertake risk analysis, develop best practise controls and measure their effectiveness.”

Cool. We can all applaud that then.

The ISF standard draws on the practical experiences of over 300 leading international organisations including many of the Fortune 100 companies, and reflects the latest thinking on information security through workshops, face-to-face meetings and interviews, as well as the results of the ISF’s in-depth research and its comprehensive information security benchmarking tool - the Information Security Status Survey. It also has the benefit of a decade of previous versions bringing a certain maturity to the table which is essential when talking about best practise in any field, but doubly so with security.

Split into six key areas, the Standard provides key objectives and a clear overview of the practical measures and activities that need to be carried out to keep information risks under control. The key areas being:

security management
critical business applications
computer installations
networks
systems development
end user environment

But why should you bother, especially if you are already up to your eyeballs in Sarbanes-Oxley, PCI/DSS and the EU Directive on Data Protection while trying to meet ISO/IEC 27002 or COBIT v4.1? Simple, because if you comply with the ISF Standard the chances are that you will find complying with everything else a damn site easier. That’s what following best practise does

12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments
This article has no comments yet.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

data library Madness Browser management remote working shopping trust broadband payments banking MSN recession mobile parental control malware Architecture Guardian science Notebooks prison scam chips Retail betting rootkits Application digitise e-commerce Mars technology crime biometrics USA Bill Gates worker computers Beta survey School BOFH e money Blog desktop Pirate Supercomputer linkedin Kill Switch ID Theft McKinnon Jesus Phone Backlash Trousers mail Linux privacy dumb museum Media ROFL surveys Parenting Networks universe work graphics MSNBC ISP avatar patent fraud credit crunch world of warcraft iPod HPC Texas Instruments workplace Game Finjan ecommerce CAPTCHA Jobs debian App archiving Enterprise lawsuit Microsoft fake iPhone InfoSec Sex Blogging Rumour iPhone 3G services Cisco campaign office Big Brother Performance computing Firefox hypervisor documentation Steve Ballmer exploit home Windows 7 earth hour Gateway App Store VeriSign payment server law virtual world poll Banned green compromise Geeks Education web disclosure wifi encryption acquisition Twitter hardware Microchip Web Development Kindle policy HP gaming network Apps family DNS news holidays information Google Earth Gadget Government virtual machine Children Internet Explorer spending Netbook report Browsers Study iPad Eee PC memory Nexus migration Psychic Battery Rant Addiction Obama theft ASUS development PS3 Meh Digg The Federation snooping Scotland staffing Olympics Licensing Top 500 terrorism transactional security eBook Review President Eee Michael Jackson productivity Mobile Phones VPN ISPA gadgets iPhone 3GS tax stupidity data protection Zango Opinion hacking Windows Dell economics scareware Research Army Acer social networking IBM Porn console phishing tech Intel fun Gartner Flash worm global christmas printing Advertising NBC FBI Marketing second life RATM MessageLabs Music hoax millions botnet Nintendo YouTube computing Funny IT service standards adware Election outsourcing monetisation NASA open source Trojan Experiment Sony Space statistics Psion symantec Patents patch management search support Digital Footprint hubdub virus web 2.0 stupid Paris Hilton BSI meme spam banks Amazon Programming football Employment credit card fraud xmas Windows Phone 7 Series Death Johnny Depp Recall economy remote copyright Silverlight Conference IDC innovation GMail Kaspersky Russia Military XP Analysis Video Vista computer VM hacker IP Hack Business sick Energy Adobe Apple MiniBook Palm Deal environment admin storage OS Top 10 black hat GSM Harry Potter size Ballmer Facebook scan Voice Tesco Android man-in-the-middle RAM Internet Mobile Phone Developers Health security virtualisation Data Centre students email Kin cloud SSL Press Europe Yahoo teleworking AMD fool books Google Spotify EU OCR games nightmare smartphone code Software China Noro SMS Project Steve Jobs Mafia Lotus Palm Pre Texting carbon copy help politics
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement