RE: diff btw BD 7799, ISF Security Standard, ITIL and others..

Great comment Matthew,

Just to complement on your comment, be aware Nabil that both CoBIT and
ISO17799 have control objectives surrounding compliancy, service level
agreement, and contractual engagement toward customers and from
providers.

It is true that IA normally supports, and are more familiar with CoBIT
but CoBIT is quite large.  The nice thing about it tough is that it
embeds ISO17799 requirements.

My 2 cents

Martin Dion, CISM
Chief Technology Officer
FIRST Representative - AboveSecCERT
 
Above Security
Phone: (450) 430-8166 #103
Fax: (514) 370-8335
Cell: (514) 831-5427
Email: martin.dion@abovesecurity.com
 
This message and any attachments are confidential and intended solely
for the addressee. If you have received this message in error please
delete it and notify Above Security immediately, telephone number (450)
430-8166. Any unauthorized use, alteration or dissemination is
prohibited. Above Security accepts no liability whatsoever for any loss,
whether it be direct, indirect or consequential, arising from
information made available and actions resulting there from.

-----Original Message-----
From: Matthew Caston [mailto:mattcaston@mchsi.com] 
Sent: January 11, 2005 11:28 AM
To: Newcomb, Kelly
Cc: security-management@securityfocus.com
Subject: Re: diff btw BD 7799, ISF Security Standard, ITIL and others..

Nabil,
I would suggest detailing why you want a standard before proceeding - 
while it's always a good idea to check with the auditors/lawyers first, 
you should set some core objectives and then refer to the available 
standards to determine which can help you get to a stable endpoint.  No 
standard can be wholesale transplanted into your specific organization 
without modification.  What are you looking to get out of implementing 
standards?  Cost savings/operational excellence/risk 
management/QOS....what do your customers (read: users) want/need??

If your objectives are simply controls/compliance (eg. SOX), based, your

Auditors will likely endorse CoBIT/COSO.  However, if you're looking to 
standardize policy, process and procedure then ITIL and ISO/BS  can 
help.  There are some decent 101-level articles/papers in the SANS 
reading room which you might want to review.  Either way, define your 
objectives and then see which approach best suites those objectives.

Regards.....


Newcomb, Kelly wrote:

> You might try talking with your auditor(s) and ask them which
"standard"
> they will be measuring you against. That might help with your
direction.
> Hope this helps...
> --
> Kelly Newcomb, CISSP
> Information Security Officer
> Texas Guaranteed - The Guarantor of Choice
> Voice: 512-219-4697
> Email: kelly.newcomb@tgslc.org
> "Discipline is doing something you don't want to do when you don't want
> to do it, in order to do something you want to do when you want to do
> it."
>
> -----Original Message-----
> From: NabilM@kuveytturk.com.tr [mailto:NabilM@kuveytturk.com.tr] 
> Sent: Tuesday, January 11, 2005 12:45 AM
> To: security-management@securityfocus.com
> Subject: diff btw BD 7799, ISF Security Standard, ITIL and others..
>
> Fellows,
>
> Can some one point me too some article(s), or summarize me the
> difference between these IT Security Standards including BD 7799, ISF
> Security Standard, ITIL and others. I read some where that BS 7799 is
> less like a standard and more like security practices that enable one
to
> build and tailor a security standard for his/her particular
> organization. On the other hand, ISF standard was prepared by taking BS
> 7799 into account. I plan to implement a standard this year for my org,
> and I am in the process of comparing the available ones. Any help in
> this would be greatly appreciated.
>
> Thanks in advance,
>
> -Nabil.
>
>
> DISCLAIMER:
> Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin
> dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve
> varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz.
> Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK
> E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size
> degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun
> ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak
> islemlerden dolayi sorumlu tutulamaz.
> This e-mail & its content have been sent to the attention of the
> receiver named above. If you are not the intended recipient (or have
> received this e-mail in error), Please notify the sender immediately
and
> destroy this e-mail. Any unauthorized copying, disclosure or
> distribution of the material in this e-mail is strictly forbidden.
> Kuwait Turkish Evkaf Finance House shall not be held liable for the
> arrival of this e-mail & its content as modified or late, the
protection
> of integrity and secrecy and shall not be liable to any person who acts
> or omits to do anything in reliance upon it.
>
>