RE: diff btw BD 7799, ISF Security Standard, ITIL and others..

Thanks to all for your extremely valuable input.

Matthew, that's a very good point you have raised. Define the objectives
first. There is not really any compliance requirement from Auditors or
government till now. But that is very much possible in the near future.
The main reason for me to have a security compliance/standard is to
mitigate IT risks. The security administrators in the past have not been
following any standard/process and apparently the security of many of
the IT processes (new or old) within the organization gets overlooked.
They don't have a proper security management process to follow and are
hence always a couple of steps behind. In short, I am looking for "IT
Security Management Process". Can these standards (e.g.: BS 7799), and
which one, help me?


-----Original Message-----
From: Matthew Caston [mailto:mattcaston@mchsi.com] 
Sent: Tuesday, January 11, 2005 6:28 PM
To: Newcomb, Kelly
Cc: security-management@securityfocus.com
Subject: Re: diff btw BD 7799, ISF Security Standard, ITIL and others..

Nabil,
I would suggest detailing why you want a standard before proceeding - 
while it's always a good idea to check with the auditors/lawyers first, 
you should set some core objectives and then refer to the available 
standards to determine which can help you get to a stable endpoint.  No 
standard can be wholesale transplanted into your specific organization 
without modification.  What are you looking to get out of implementing 
standards?  Cost savings/operational excellence/risk 
management/QOS....what do your customers (read: users) want/need??

If your objectives are simply controls/compliance (eg. SOX), based, your

Auditors will likely endorse CoBIT/COSO.  However, if you're looking to 
standardize policy, process and procedure then ITIL and ISO/BS  can 
help.  There are some decent 101-level articles/papers in the SANS 
reading room which you might want to review.  Either way, define your 
objectives and then see which approach best suites those objectives.

Regards.....


Newcomb, Kelly wrote:

> You might try talking with your auditor(s) and ask them which
"standard"
> they will be measuring you against. That might help with your
direction.
> Hope this helps...
> --
> Kelly Newcomb, CISSP
> Information Security Officer
> Texas Guaranteed - The Guarantor of Choice
> Voice: 512-219-4697
> Email: kelly.newcomb@tgslc.org
> "Discipline is doing something you don't want to do when you don't want
> to do it, in order to do something you want to do when you want to do
> it."
>
> -----Original Message-----
> From: NabilM@kuveytturk.com.tr [mailto:NabilM@kuveytturk.com.tr] 
> Sent: Tuesday, January 11, 2005 12:45 AM
> To: security-management@securityfocus.com
> Subject: diff btw BD 7799, ISF Security Standard, ITIL and others..
>
> Fellows,
>
> Can some one point me too some article(s), or summarize me the
> difference between these IT Security Standards including BD 7799, ISF
> Security Standard, ITIL and others. I read some where that BS 7799 is
> less like a standard and more like security practices that enable one
to
> build and tailor a security standard for his/her particular
> organization. On the other hand, ISF standard was prepared by taking BS
> 7799 into account. I plan to implement a standard this year for my org,
> and I am in the process of comparing the available ones. Any help in
> this would be greatly appreciated.
>
> Thanks in advance,
>
> -Nabil.
>
>
> DISCLAIMER:
> Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin
> dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve
> varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz.
> Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK
> E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size
> degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun
> ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak
> islemlerden dolayi sorumlu tutulamaz.
> This e-mail & its content have been sent to the attention of the
> receiver named above. If you are not the intended recipient (or have
> received this e-mail in error), Please notify the sender immediately
and
> destroy this e-mail. Any unauthorized copying, disclosure or
> distribution of the material in this e-mail is strictly forbidden.
> Kuwait Turkish Evkaf Finance House shall not be held liable for the
> arrival of this e-mail & its content as modified or late, the
protection
> of integrity and secrecy and shall not be liable to any person who acts
> or omits to do anything in reliance upon it.
>
>  




DISCLAIMER:
Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine 
gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki 
dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda 
gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve 
eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec 
ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine 
guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz.
This e-mail & its content have been sent to the attention of the receiver named 
above. If you are not the intended recipient (or have received this e-mail in 
error), Please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this e-mail 
is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held 
liable for the arrival of this e-mail & its content as modified or late, the 
protection of integrity and secrecy and shall not be liable to any person who 
acts or omits to do anything in reliance upon it.