Did anyone here think to train personnel or implement security rules following the ISO 17799 (BS 7799) Standard ? If so ... how much do you think this count in an organisation ? Please send feedback !
This is basically a best practices standard that outlines how to establish and maintain a security policy and organization within a business environment. Information Security in a business is a lot more then just running security applications, installing firewalls, and creating user accounts. To do it right, you need to build and maintain a formal structure to oversee security and its implementation within an organization. Standards have to be created and followed. Accountability assigned. Documentation is needed. Auditing must be done... It's all pretty dry stuff, and is not very interesting to home computing users. But, it is a necessary evil in a business environment, especially for publicly traded companies, or those subject to outside audit or oversight. The answer to xss.ro is really a whole bunch of questions. The value of implementing the standard depends entirely upon the organization's needs. Starting with questions about the type of organization; it's size; it's clients, customers and employees; the type of data it handles and the exposures it'd face given data loss or theft... After some basic questions, a risk analysis is probably a good place to start. As with most things in business, not everything that appears to be the right way to do something is appropriate in all situations. Different sized companies with different exposure levels require different levels of security.
The standard is great for communication purposes. The real value is that it's a standard that most security professionals (security managers, security architects, auditors) know, so, you know what others mean. The standard is quite broad. Security measures are on a strategic (do you have a security policy) as well as on an operational level (do you have anti virus). It's an ISO standard, but one may well wonder why, since it's not very consistent in this manner. We use it to define our own security policy and our own security planning. I don't like the standard, but it can be used to create awareness at corporate management level and as such it can be used as a basis for your security budget claim. It's okay as a communication means, but implementing it will not make an organisation secured. It's okay to use as a checklist, though, an organisation can be certified for implementing the standard.