Re: OT: Information Security policy

[Paul Cardon <paul () moquijo com>]

Nigel Willson wrote:
> > How many people actually consider the BS7799 Standard?
>
> I have found a majority of companies use BS7799 as a base
> for policy, especially financial institutions. 

There is lots of talk of BS7799 by analysts, big 5 consulting and the
trade press, but I haven't seen much direct incorporation into policy of
US companies, even financial institutions which is where I have the
majority of my experience.  I'm not saying BS7799 shouldn't be
considered, just that the statement "a majority of companies use BS7799
as a base for policy" doesn't match the reality with which I am
familiar.  Nigel, is your statement based on UK, European, US, or other
practice?

> Yes, a lot of enterprises are basing policy upon privacy
> standards such as HIPAA and Gramm Leach Blilely [sic]. It can
> save a lot of cost and pain later.

That's funny, since clear standards that indicate exactly what
regulatory agencies will be looking for when enforcing the security
aspects of HIPPA and GLB do not yet exist.  The closest thing to
guidelines so far are the HIPPA Privacy and Security NPRMs.  The laws
themselves are quite vague about the details as usual (and as they
should be).  Have you actually read them, Nigel?

Again, only the large enterprises are actively incorporating these laws
into their policies right now.  There is a lot of visible effort with
privacy policy, i.e. companies hiring privacy officers, revamping
privacy policy.  If these laws are doing anything right now to directly
influence security policy, it's a much quieter process.  The small
players are likely to wait to the last minute when the thought of
lawyers knocking on their doors becomes more real just like many of them
did with Y2K.  When will we learn.

-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards