Firewall Wizards mailing list archives
Re: OT: Information Security policy
From: Paul Cardon <paul () moquijo com>
Date: Mon, 19 Feb 2001 01:23:02 -0500
Nigel Willson wrote:
How many people actually consider the BS7799 Standard?I have found a majority of companies use BS7799 as a base for policy, especially financial institutions.
There is lots of talk of BS7799 by analysts, big 5 consulting and the trade press, but I haven't seen much direct incorporation into policy of US companies, even financial institutions which is where I have the majority of my experience. I'm not saying BS7799 shouldn't be considered, just that the statement "a majority of companies use BS7799 as a base for policy" doesn't match the reality with which I am familiar. Nigel, is your statement based on UK, European, US, or other practice?
Yes, a lot of enterprises are basing policy upon privacy standards such as HIPAA and Gramm Leach Blilely [sic]. It can save a lot of cost and pain later.
That's funny, since clear standards that indicate exactly what regulatory agencies will be looking for when enforcing the security aspects of HIPPA and GLB do not yet exist. The closest thing to guidelines so far are the HIPPA Privacy and Security NPRMs. The laws themselves are quite vague about the details as usual (and as they should be). Have you actually read them, Nigel? Again, only the large enterprises are actively incorporating these laws into their policies right now. There is a lot of visible effort with privacy policy, i.e. companies hiring privacy officers, revamping privacy policy. If these laws are doing anything right now to directly influence security policy, it's a much quieter process. The small players are likely to wait to the last minute when the thought of lawyers knocking on their doors becomes more real just like many of them did with Y2K. When will we learn. -paul _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- OT: Information Security policy Scott, Richard (Feb 15)
- <Possible follow-ups>
- RE: OT: Information Security policy Nigel Willson (Feb 16)
- Re: OT: Information Security policy Paul Cardon (Feb 20)
- RE: OT: Information Security policy Keith.Morgan (Feb 16)
- RE: OT: Information Security policy Ben . Grubin (Feb 16)