A RESOURCE GUIDE FOR INFORMATION SYSTEM SECURITY OFFICERS:

A Compendium of Information Security Acts, Standards, and Guidelines

An integrative project submitted

by

Ken Fogalin

to

the School of Business and Technology

in partial fulfillment of
the requirement for the
degree of

MASTER OF SCIENCE
in
INFORMATION TECHNOLOGY - INFORMATION SECURITY SPECIALIZATION

This integrative project has been

accepted for the faculty of
Capella University by:

Professor Sharon Gagnon

Capella University
Minneapolis, MN

Copyright © March 19, 2006

Ken Fogalin
Digitally signed by Ken Fogalin
DN: CN = Ken Fogalin, C = CA, O

Ken = Department of National

Defence, OU = Directorate of
Information Management Security
Reason: I am the author of this

Fogalin
document
Location: Ottawa, Ontario
Date: 2006.03.09 17:01:02 -05'00'
 Abstract

This paper serves as a single-source introductory guide to the commonly

recognized and accepted national and international information security (INFOSEC) acts,

standards, and guidelines. It introduces the key elements of a complete INFOSEC

program as well as the role and responsibilities of Information System Security Officers

(ISSOs). It provides ISSOs with an overview of the substantial security measures and

best security practices that are currently available to protect their company network and

help them determine if their company network is compliant with mandated acts and

standards. This paper describes the INFOSEC acts, standards, and guidelines in terms of

how they relate to different security issues such as governance, privacy, and protection of

critical assets. In addition to providing a broad overview of each security reference, this

paper also provides a qualitative assessment of the particular security references in terms

of their helpfulness to ISSOs. Therefore, this paper is valuable as basis on which

businesses could develop an in-house ISSO course. Finally, this paper serves as a

valuable reference document for the ISSO community at large when they need to provide

advice to their Chief Information Officer (CIO).

ii
 Dedicated to Nancy, Rachel, and Sarah

for their love, support, and understanding,

especially during these past two years.

iii
 CONTENTS

Abstract ........................................................................................................................................... ii

List of Tables ................................................................................................................................. vi

Table of Figures ............................................................................................................................ vii

PART I .............................................................................................................................................1

Chapter 1 - Introduction.......................................................................................................1

Scope of This Paper .................................................................................................4

Chapter 2 - Elements of an INFOSEC Program ..................................................................6

Chapter 3 - Role and Responsibilities of ISSOs ..................................................................8

Chapter 4 - Review of the Literature .................................................................................10

Information Security Harmonisation .....................................................................10

A Comparative Study of IT Security Criteria ........................................................13

International Codes of Practice for Information Security Management................14

Conclusion .............................................................................................................15

PART II..........................................................................................................................................17

Chapter 5 - Government Acts ............................................................................................17

Personal Information Protection and Electronic Documents Act (PIPEDA) ........17

Health Insurance Portability and Accountability Act (HIPAA) ............................19

Sarbanes-Oxley Act (SOX)....................................................................................22

Gramm-Leach-Bliley Act (GLBA)........................................................................23

Summary of Government Acts ..............................................................................25

Rating of Government Acts ...................................................................................27

Chapter 6 - INFOSEC Standards .......................................................................................28

Generally Accepted Principles and Practices for Securing Information

Technology Systems ........................................................................................29

iv
 OECD Guidelines for the Security of Information Systems and Networks ..........31

Generally Accepted Information Security Principles (GAISP) .............................31

German IT Security Guidelines .............................................................................33

COBIT© ................................................................................................................35

ISO/IEC 17799 Code of Practice for Information Security Management.............37

BS 7799-2 Specification for Information Security Management Systems............42

Summary of INFOSEC Standards .........................................................................43

Rating of INFOSEC Standards ..............................................................................46

Chapter 7 - INFOSEC Guidelines and Best Practices .......................................................48

AICPA/CICA Privacy Framework ........................................................................48

ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS) ......50

An Introduction to Computer Security: The NIST Handbook...............................57

RFC 2196 Site Security Handbook........................................................................59

The Standard of Good Practice for Information Security......................................61

The CERT® Guide to System and Network Security Practices............................65

Summary of INFOSEC Guidelines and Best Practices .........................................67

Rating of Guidelines and Best Practices................................................................70

PART III ........................................................................................................................................72

Chapter 8 - Conclusions.....................................................................................................72

Overall Rating of Acts, Standards, and Guidelines ...............................................73

Chapter 9 - Recommendations for Further Study ..............................................................75

References......................................................................................................................................76

APPENDIX A GLOSSARY OF TERMS ....................................................................................80

APPENDIX B RECOMMENDED INFOSEC RESOURCES FOR FURTHER READING ......82

v
 List of Tables

TABLE 1. RATING SCALE FOR ACTS, STANDARDS, AND GUIDELINES INDICATING

THEIR HELPFULNESS TO ISSOS. ........................................................................................4

TABLE 2. SUMMARY OF ACTS AND THEIR HELPFULNESS TO ISSOS..........................27

TABLE 3. SUMMARY OF INFOSEC STANDARDS AND THEIR HELPFULNESS TO

ISSOS.......................................................................................................................................47

TABLE 4. SUMMARY OF INFOSEC GUIDELINES AND THEIR HELPFULNESS TO

ISSOS.......................................................................................................................................71

TABLE 5. QUICK REFERENCE TO THE INFOSEC ACTS, STANDARDS, AND

GUIDELINES AND THEIR HELPFULNESS TO ISSOS.....................................................74

vi
 Table of Figures

Figure 1. Example of how COBIT® presents its control objectives. .......................................... 37

Figure 2. Example of how ISO 17799 organizes and presents safeguards.................................. 40

Figure 3. Typical threats to confidentiality, integrity, and availability. ...................................... 55

Figure 4. Example of how ISF’s Standard organizes and presents its security practices............ 63

vii
 PART I

Chapter 1 - Introduction

For the past thirty years, the information security (INFOSEC) profession has emerged on

the international stage in a fragmented manner with little cohesive organization. The evidence

for this generalization comes from the barrage of network intrusions and the escalating number

of independent INFOSEC reports, acts, standards, and guidelines in both the public and private

sector. According to Carnegie Mellon University’s CERT Coordination Center, the quantity of

INFOSEC incidents reported by businesses has doubled every year since 2000, and a survey of

the literature indicates that the number of INFOSEC reports, standards, and guidelines mirrors

this growth (Conner, 2003). The proliferation of security acts, standards, and guidelines exists

because, in today’s electronic commerce economy, the stakes of not securing the flow of

information are particularly high.

Furthermore, no one agency has prescribed an all-encompassing security standard that

satisfies both national and international business partners. The U.S. Government has established

a significant legislative and regulatory regime around information technology (IT) security, yet it

is considering additional action because many companies have not sufficiently addressed (or may

not be aware of) the laws that govern how they must address their INFOSEC needs (Conner,

2003). In addition, there is already broad consensus on common solutions to IT security.

Despite this, the avalanche of literature that prescribes security measures and practices to

protect a business’s critical information assets continues to grow into a complex web of

requirements. Complicating this issue is the fact that there is no clear linkage among the

1
INFOSEC standards, so businesses may find themselves working with a dozen standards in

parallel as they cross international boundaries; and someone has to make sense of it all.

Making sense of it all is a task that typically rests with the Chief Information Officer

(CIO) who implements and manages the company’s INFOSEC program. However, the CIO

relies heavily on a team of subject matter experts to conduct the day-to-day security operations.

On this team, the Information System Security Officer (ISSO) is one of the CIO’s key subject

matter experts.

As such, ISSOs must possess a strong technical background combined with a good

working knowledge of the acts that mandate security measures for their business, and the myriad

of standards and guidelines that are available to help achieve compliance with the applicable

laws. In essence, ISSOs need to raise their awareness of key acts and their working knowledge

of other, more detailed, security-related documents, to effectively perform their day-to-day duties

and maintain their subject matter expertise.

Therefore, this paper discusses the commonly recognized and accepted national and

international INFOSEC acts, standards, and guidelines that ISSOs need to have knowledge of in

order to advise their CIO. Security acts, standards, and guidelines obviously co-exist with other

security requirements within an overarching INFOSEC program. Accordingly, Chapter 2

defines what an INFOSEC program is and then provides a broad overview on what constitutes

the key elements of an INFOSEC program. Then, Chapter 3 describes the key responsibilities

typically expected of ISSOs and the role they play within the overarching INFOSEC program.

2
Chapter 4 follows with a brief review of the literature, which represents what other authors have

written about the well-known security standards and guidelines. Chapters 1 to 4 forms Part I of

this paper and serves as background information. It is not necessary for the reader to have an

intricate knowledge of Part I to understand and use the information in Part II of this paper.

Nevertheless, Part I is presented for the benefit of the less-experienced INFOSEC professional.

Part II of this paper represents the main body of information and provides an independent

discussion of each of the INFOSEC acts (Chapter 5), standards (Chapter 6), and guidelines

(Chapter 7). These chapters give a broad picture of each of these security documents in terms of:

1. Who issued it, and who is the target audience?

2. What type of document is it, and what are its security objectives?

3. Where does it apply (i.e., to which type of business)?

4. When was it published (i.e., how current is it)?

5. Why is it important?

At the conclusion of each chapter, the acts, standards, and guidelines are summarized and

assigned a rating that indicates how helpful they may be to ISSOs. Table 1 shows the rating

scale this paper will use and is based on the author’s personal experience as an ISSO.

3
Table 1. Rating scale for acts, standards, and guidelines indicating their helpfulness to ISSOs.

Scale Meaning

m Not helpful at all.

mn Little or no direct relevance, but may be helpful as awareness.

mno Unlikely to provide real benefit, but is helpful if it used with complementary
documents.

mnop Provides helpful guidance with a good level of detail, but it may not be
directly relevant to the ISSO’s day-to-day duties.

mnopq Provides very helpful and relevant information, but the level of detail may
sometimes be inadequate.

mnopqr Provides exceptionally helpful information, which is highly relevant and

sufficiently detailed.

Chapter 8 summarizes the major points of this paper. Finally, Chapter 9 provides some

recommendations for further study. In addition, this paper provides an appendix of additional

security resources (Appendix B) that are of value to ISSOs, but do not directly relate to the main

purpose of this paper. Appendix B does not provide a detailed discussion of the additional

references; rather it simply provides a categorized list of other security resources and information

about where they could be obtained.

Scope of This Paper

This paper does not attempt to deal with all the literary resources that ISSOs should be

concerned about within the entire spectrum of an INFOSEC program. A more achievable

objective is to present the most relevant and well-established information that ISSOs rely upon to

conduct their day-to-day duties and protect their company’s critical information assets.

Certainly, to perform the full range of their duties and to maintain their subject matter expertise,

4
ISSOs need access to other resources and require knowledge and skills that are well beyond what

this paper presents. Therefore, mention of many of these other resources is included in

Appendix B so as not to detract from the main purpose of this paper. For example, in order to

select and apply appropriate safeguards, ISSOs must first conduct a vulnerability assessment

(VA) and a threat and risk assessment (TRA). Appendix B includes a number of key references

that describe how to do these assessments. In addition, ISSOs may be involved in conducting

security education and awareness training. References are included in Appendix B that may help

with this task as well. Also included in Appendix B are a number of references that may be of

professional development value to ISSOs. For companies looking to develop their own in-house

ISSO training course, these additional references should also form part of the curriculum.

5
Chapter 2 - Elements of an INFOSEC Program

The INFOSEC program is the overarching structure that brings organization and

governance to all components of INFOSEC. This program allows individual security elements,

which are modular in nature, to work in harmony within the enterprise to support its business

goals. Many businesses might consider the INFOSEC program as a back-office technical

specialty; nevertheless, it is a required business function that is still evolving (Pironti, 2005).

However, the evolution of an INFOSEC program has not gained wide consensus or recognition.

Therefore, the Human Firewall Council solicited recommendations from security experts

and industry groups to define a practical cross-industry, global definition of what an INFOSEC

program should consist of. In their 2003 Security Management Index Report, the Human

Firewall Council categorized an INFOSEC program into ten key components. These ten

components, which correlate directly with the ISO/IEC 17799 international standard, include:

1. Security policy.

2. Organization of assets and resources.

3. Asset classification and control.

4. Personnel security.

5. Physical and environmental security.

6. Communications and operations management.

7. Access control.

8. Systems development and maintenance.

9. Business continuity management.

10. Compliance (Rasmussen, 2003).

6
 Due to the Human Firewall Council’s definition, the term “INFOSEC program” now has

some meaning and is starting to gain acceptance within the business community. However, it is

prudent to keep in mind that an INFOSEC program may not always fit neatly into the ten

categories described by the Human Firewall Council. This structure may work well for large

corporations, but small and medium-sized organizations will likely have to combine functionality

across these categories to produce an integrated and holistic INFOSEC program (Rasmussen,

2003). By aligning their INFOSEC program to the leading industry practices, businesses will

have a much greater chance of success in achieving compliance with current INFOSEC acts and

standards, and will be well suited to comply with future regulations (Pironti, 2005).

Achieving such alignment requires leadership, management, and teamwork. The CIO is

without question a key player in integrating all the elements of an INFOSEC program into the

business’s operational mindset. However, the CIO depends on other management staff to fulfill

critical security functions; the ISSO is one of those vital members of the security team and the

primary audience for this paper.

7
Chapter 3 - Role and Responsibilities of ISSOs

In Federal organizations, ISSOs are the organization’s officials who are responsible for

maintaining the appropriate day-to-day operational security posture for the specified information

system or program (Swanson, 2006). ISSOs have many responsibilities; however, a key duty is

assisting senior INFOSEC officials (such as the CIO) with the identification, implementation,

and assessment of security controls. Another key duty includes developing and updating

information system security plans and advising the information system owner about changes to

the system and the security impact of those changes (Swanson, 2006).

However, this description does not adequately convey the true breadth of the role and

responsibilities of an ISSO in most businesses, and there is wide disparity about the ISSO’s

reporting channels and duties depending on his or her place of employment. For example, in

medium to large companies, the ISSO position is a full-time job; while in smaller businesses it

remains mostly a part-time job, (i.e., it is a secondary responsibility for one of the business’s full-

time employees). Nevertheless, ISSOs hold an extremely important position as leaders and in-

house consultants on information-protection matters and are still generally part of the IT

department’s function (Kovacich, 2003).

Ideally, an ISSO should report directly to the CIO, but this is seldom the case in large

organizations. More frequently, an ISSO will report to an intermediate officer, commonly

referred to as the Information System Security Manager (ISSM). The ISSM focuses more on

security program requirements and higher-level management functions required to implement the

security program. The ISSO in turn, acts for the ISSM by carrying out the day-to-day security

8
procedures (Gallagher, 1992). To fulfill this responsibility, ISSOs require a solid technical

background that includes thorough knowledge of the threats to and vulnerabilities of information

systems, as well as broad knowledge of INFOSEC acts, standards, and guidelines that the

INFOSEC industry commonly uses to mitigate such threats and vulnerabilities. This latter

knowledge is essential for ISSOs to enforce security policies and safeguards and to ensure

compliance with mandated security rules and standards (Gallagher, 1992).

Educating ISSOs on the deluge of INFOSEC acts, standards, and guidelines can be an

overwhelming task for many businesses. In addition, determining which of the acts, standards,

and guidelines are most pertinent can be an even more daunting task. Therefore, this paper aims

specifically at meeting these goals, (i.e., educating and guiding ISSOs to help them discover the

most prevalent acts, standards, and guidelines and deciding which ones are most relevant to the

business they are protecting).

9
Chapter 4 - Review of the Literature

One of the goals of this paper is to demonstrate to ISSOs that there is a considerable

amount of information already available to them to help protect their company’s critical

information assets. This information comes in a variety of forms, such as acts, standards, and

guidelines. Therefore, there is little need for a company to develop its own INFOSEC standards;

most companies simply need to adapt and apply what other security experts are currently doing.

Other authors have written various articles, documents, and reports analyzing and evaluating the

security acts, standards, and guidelines that the worldwide community commonly accepts as

proven and effective. Hence, it would be prudent to review such literature and identify any

patterns that would indicate which of the well-known security acts, standards, and guidelines

have significant value for ISSOs. The literature on INFOSEC is plentiful, but most of the

articles limit their review to a single regulation, standard, guideline, or best practice document.

There is some literature linking one particular standard to another, but there are only a few

significant pieces of literature that attempt to compare multiple standards and guidelines.

Information Security Harmonisation

First, the technical study entitled Information Security Harmonisation (Macartney, 2005)

represents a significant contribution to the literature because it attempts to define a framework to

compare the broad base of INFOSEC standards and guidelines documents. Macartney (2005)

argued that numerous security standards, guidelines, and codes of practice exist without any

linkage to each other - in other words, without a framework on which to express or develop their

objectives. Rather, most security documents focus on one or more security issue of importance,

but not necessarily in context with other published works. Therefore, under direction from the

10
Information Technology Governance Institute, Macartney’s technical study of the

INFOSEC-focused literature provides a comprehensive road map to seventeen INFOSEC

documents that are commonly recognized and accepted worldwide. Macartney classified and

evaluated each security document in the same manner and by using the same criteria. The

evaluative framework included:

1. What organization issued the document?

2. What type of document is it (for example, an international or national standard,

guideline, or best practice)?

3. What principal area of security does it fulfill (for example, security management,
security principles, high-level safeguards, detailed safeguard practices, or security
methodology)?

4. What is the circulation of the document (for example, worldwide or regional)?

5. What is the stated purpose of the document?

6. What are the drivers for implementing the guidance?

7. What are the identified risks of not implementing the guidance?

8. Who is the stated target audience of the document?

9. How current is it and how often is it revised?

10. What certification opportunities exist for adherence to or knowledge of the

guidance, at either the organization or individual level?

11. How complete is the guidance in terms of implementing and managing an

enterprise INFOSEC management program?

12. Where can the guidance be obtained?

13. How recognized is the guidance and how acceptable is it to the INFOSEC
industry?

14. How widely is the guidance used by security practitioners?

11
 15. What level of coverage does the guidance provide when compared against the
task/knowledge statements in the Certified Information Security Manager (CISM)
job domains?

16. How thorough is the content of the guidance?

To determine the recognition, acceptance, and usage of each security document,

Macartney surveyed 1,900 INFOSEC professionals holding a current CISM qualification and

incorporated their responses into the study. This evaluative framework enables INFOSEC

professionals to identify which of the security documents would be of best use within their own

organization or most appropriate for improving their own skills and knowledge.

Macartney’s study provides a valuable contribution to the INFOSEC industry, and most

ISSOs would find her study useful, but it does presume a good level of familiarity and

experience with security standards and guidance documents. In addition, Macartney specifically

compared the seventeen reviewed security documents to the five CISM domains:

1. Information security governance.

2. Risk management.

3. Information security program management.

4. Information security management.

5. Response management.

These five domains do not easily correspond to the ten elements of an INFOSEC program

espoused by the Human Firewall Council and the ISO/IEC 17799 standard discussed earlier in

this paper. However, Macartney’s findings did indicate that the ISO/IEC 17799 document has

made a significant impact on the INFOSEC community. Her study noted that over 97 percent of

12
the surveyed CISMs recognized the ISO/IEC 17799 document and more than 85 percent of them

accepted it as a conventional security standard (Macartney, 2005). Despite this, Macartney

concluded that the ISO/IEC 17799 standard is unlikely to provide real benefit in addressing the

five CISM domains and is only useful as a complement to other resources. This does not imply

that the ISO/IEC 17799 standard is not valuable as a basis for an INFOSEC program, simply that

it holds little value for those INFOSEC professionals preparing to seek the CISM qualification.

It is interesting to note that Macartney’s study suggested that only three of the seventeen

INFOSEC documents adequately map to the CISM domains. Based on this study, ISSOs who

are preparing for the CISM qualification may need to reconsider what references they are using.

A Comparative Study of IT Security Criteria

However, in a similar comparative study, Project Team 5 of Initiative D21 reviewed nine

of the commonly recognized security standards and was not so harsh on the ISO/IEC 17799

standard. This study noted that the ISO/IEC 17799 standard does provide a comprehensive

collection of safeguards, which satisfy a best practice approach to INFOSEC and the standard

does provide a common reference point for assessing an INFOSEC management program

(German Chamber of Commerce, 2001). Initiative D21 also noted that the ISO/IEC 17799

standard is heavily oriented towards generic, baseline security measures making it a flexible

standard that is not restricted to a specific security level and is largely independent of the

organizational structure. For example, the standard permits organizations to decline some

security measures, with justification, making it quite suitable for smaller organizations. On the

other hand, organizations that require high security safeguards could also modify the standard to

suit their needs (German Chamber of Commerce, 2001).

13
 Unlike Macartney (2005), Initiative D21 did not attempt to map the reviewed security

literature to a specific certification framework, such as CISM. However, Initiative D21 did agree

with one of Macartney’s conclusions – the ISO/IEC 17799 standard is more useful if it

complements another security resource. The reason for this conclusion is that the ISO/IEC

17799 standard does not provide the specific technical instructions to implement the

recommended security measures. Rather, it is a generic catalogue of best practices that

prescribes what to do, but not how to do it. However, it is important to note that both Macartney

(2005) and Project Team 5 of Initiative D21 (German Chamber of Commerce, 2001) reviewed

the first version of the ISO/IEC 17799 standard that was published in 2000. Rasmussen (2005)

agrees that the original version had some weak areas, but he claims that the second version,

published in 2005, fixes those weak areas. The 2005 version of the ISO/IEC 17799 standard

provides a much stronger and expanded framework for INFOSEC management, but still does not

provide the depth needed for a robust INFOSEC program (Rasmussen, 2005).

International Codes of Practice for Information Security Management

The third significant study came out of the School of Computing at the University of

South Africa. Smith’s (2005) paper provided a broad overview of seven of the well-known

security standards and argued that organizations need to adopt and comply with internationally

recognized standards, or to cross-reference any in-house developed standards to an existing

international standard. Smith argued that the lack of sufficient security safeguards might

threaten the organization’s own electronic business and the security of their business partners. It

is therefore necessary for an organization to certify their compliance to some international

security standard (Smith, 2005). Smith also noted that the ISO/IEC 17799 standard is the only

14
international standard that an organization can use to provide the necessary proof to their trading

partners. Smith’s technical report does not draw any conclusion as to which standard is better

than another or more appropriate for small or large organizations. However, this study does list

some of the benefits of adopting a specific standard and allows the reader to draw their own

conclusions. For example, this study suggested that organizations adopting the Generally

Accepted System Security Principles (GASSP) would:

1. Promote good security practice.

2. Have a legal and authoritative point of reference for security practices.

3. Increase their business effectiveness and efficiency by preserving public trust in

their IT capability.

4. Minimize barriers to the free flow of information.

5. Be assured of a globally known skill set.

6. Increase management confidence in the decisions that INFOSEC practitioners

make.

7. Enjoy increased customer confidence, trust, and acceptance in their products

(Smith, 2005).

Conclusion

As demonstrated by the review of the literature, there is some disagreement within the

INFOSEC community regarding the merit of some standards; the profession still lacks a unified

body of guidance; and ISSOs do not have a single comprehensive reference point for acts,

standards, guidelines, best practices, certifications, success metrics, and even terminology. This

paper does not serve as united guidance for the INFOSEC community. However, Part II of this

paper does attempt to provide ISSOs with an all-inclusive reference point to the commonly

accepted national and international INFOSEC-related documents. Next, this paper will discuss

15
these documents under the broad headings of government acts, INFOSEC standards, and

INFOSEC guidelines and best practices.

16
 PART II

Chapter 5 - Government Acts

Acts are orders issued by a government department or agency that have the force of law.

Acts usually focus on a specific industry or issue of critical importance. From an INFOSEC

perspective, acts mandate the security measures that businesses must embrace to protect the

information assets that they are responsible for. These security measures tell businesses “what to

do” in very high-level statements, leaving the detailed implementation, (i.e., “how to” implement

safeguards that will satisfy the security requirements of the act) to the discretion of the business.

The important point about acts is that businesses must satisfy all the prescribed security

measures, how they do that is up to them. This is an important distinction for ISSOs since CIOs

will call upon them to implement appropriate safeguards for each of the prescribed security

measures that the act mandates. Therefore, ISSOs should be familiar with the impact that acts

have on their particular business.

There are many acts that have some impact on the INFOSEC community but it is not the

intent of this paper to review them all. Rather this paper focuses on a relatively few acts that

appear to receive the greatest share of attention and are generally recognized as important

landmarks.

Personal Information Protection and Electronic Documents Act (PIPEDA)

In Canada, two federal privacy laws protect individuals. One law that prescribes how the

federal government must handle personal information – the Privacy Act; and one law that

imposes how Canada's private sector must handle personal information - the Personal

17
Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA was assented to

on April 13, 2000, by the Senate and House of Commons of Canada, but it is really the result of

a collaborative effort by representatives of government, consumers, and business groups

(Canada, Office of the Privacy Commissioner, 2000). However, it did not come fully into effect

until January 1, 2004.

The PIPEDA applies across the board to all non-government organizations that collect,

use, or disclose personal information during the conduct of commercial activities. It imposes ten

principles of fair information practices that all private sector businesses must adhere to such as,

accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and

retention; accuracy; safeguards; openness; individual access; and provide recourse (Canada,

Office of the Privacy Commissioner, 2000).

The CIO addresses these privacy issues within the overarching information management

program. However, it is common for ISSOs to be involved in some aspects of privacy

compliance. For example, the principle of accountability imposes that an organization must

appoint an individual to protect all personal information held by the organization or transferred

to a third party for processing. Undoubtedly, ISSOs will be heavily involved in implementing

the technologies to protect such information and therefore should develop a good working

rapport with the appointed individual. In smaller organizations, this individual may in fact be the

ISSO. In addition, the principle of safeguards requires organizations to protect personal

information against loss or theft; and safeguard the information from unauthorized access,

disclosure, copying, use, or modification. Again, ISSOs will be heavily involved in the selection

18
and application of appropriate safeguards. Specifically for the selection of physical security

measures (locked filing cabinets, restricting access to offices, alarm systems), technological tools

(passwords, encryption, firewalls), organizational controls (security clearances, limiting access

on a "need-to-know" basis, staff training, agreements), and education and awareness training to

make all employees aware of the importance of maintaining the security and confidentiality of

personal information. The CIO may also call upon ISSOs for their input into a security policy to

protect personal information.

The PIPEDA is a document that ISSOs should skim simply because they need to

understand the importance of this legislation. The document itself does not tell ISSOs how to

protect personal information collected, used, or disclosed by their company, but it does provide

the legal and authoritative point of reference with which to impose certain safeguards. Later, this

paper will discuss a supporting document that introduces a privacy framework that organizations

can use to guide and assist them in implementing their privacy program (American Institute of

Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004).

Health Insurance Portability and Accountability Act (HIPAA)

In 1996, the U.S. Congress enacted the Administrative Simplification (part of Title II)

provisions of the Health Insurance Portability and Accountability Act (HIPAA) to promote

standardized electronic transactions in the health care industry and protect the privacy and

security of health information (Hash, 2005). It was not until February 20, 2003, that the U.S.

Department of Health and Human Services adopted sections 160, 162, and 164 of the HIPAA as

their security standards final rule. These sections are assented to in Part 45 of the Code of

19
Federal Regulations (CFR) and require organizations to take measures to secure electronic

protected health information (EPHI) while it is in their custody (U.S. Department of Health &

Human Services, 2003). The HIPAA security rule specifically focuses on safeguarding EPHI

and all “covered entities” must comply with the rule. Examples of covered entities include

health care providers, health plans, health care clearinghouses, and Medicare prescription drug

card sponsors (Hash, 2005).

More specifically, the HIPAA security rule objectives are to ensure confidentiality,

integrity, and availability of EPHI that organizations create, receive, maintain, or transmit. As

well, organizations must protect EPHI against any reasonably anticipated threats and hazards,

and against reasonably anticipated uses or disclosures that are not permitted by the Privacy Rule

(Hash, 2005).

The HIPAA security rule is separated into six main sections and each section includes

several standards. Furthermore, each standard is subdivided into implementation specifications,

each of which is categorized as required or addressable. In all, there are 18 standards and 36

implementation specifications (14 required and 22 addressable). The 18 standards are

mandatory and all organizations must comply with them. However, compliance with the 36

implementation specifications depends on whether they are categorized as required or

addressable. A required specification is considered a standard and organizations must comply

with it. However, an addressable specification is simply a reasonable and appropriate safeguard

that organizations must consider, although they are not obliged to implement. Nevertheless,

organizations cannot simply dismiss addressable specifications. Organizations must perform a

20
risk assessment to determine if the safeguard is appropriate for their environment or if they

should implement an equivalent alternative (Hash, 2005).

The Federal Register Subpart C provides the approved requirements under sections 160,

162, and 164 of the HIPAA. However, the Federal Register also includes much more

information such as the background, general provisions, and analysis of and responses to public

comments on the security rule. This is a wealth of information to understanding the HIPAA

from an INFOSEC perspective, but is not required for ISSOs to implement the rule. One other

issue worth noting is that the Federal Register mentions numerous National Institute of

Standards and Technology (NIST) publications, including Nash’s (2005) guide, as potentially

helpful guidance, but not mandatory for achieving compliance with the HIPAA (U.S.

Department of Health & Human Services, 2003).

Nash has cross-referenced every standard to the citation where the standard is located

within the HIPAA security rule. For each standard, Nash has further defined key activities,

which are actions that organizations should pursue to comply with the associated rule - some of

key activities are the actual implementation specifications. Nash also provides an expanded

explanation about the key activities to help get organizations started in addressing the HIPAA

security rule. An additional feature of Nash’s guide is the sample questions. These questions are

indicative of relevant questions that organizations could ask as a starting point to examine its

own security practices that relate to the HIPAA security rule. Finally, Nash includes illustrated

examples of two hypothetical federal agencies to show how the standard may be addressed in a

21
specific environment. These examples suggest actions and issues that could arise. For ISSOs

who work for a “covered entity,” Nash’s guide is indispensable.

Sarbanes-Oxley Act (SOX)

In 2002, the U.S. Congress enacted the Sarbanes-Oxley Act of 2002 (SOX), which

defines the requirement for financial and accounting disclosure of information. It is an act to

protect investors by improving the accuracy and reliability of corporate disclosures made

pursuant to the securities laws. The act is named after its main architects, Senator Paul Sarbanes

and Representative Michael Oxley (U.S. Congress, 2002).

The SOX Act is organized into eleven titles, although section 404, entitled Management

Assessment of Internal Controls is the most significant with respect to compliance and internal

control. Section 404 goes beyond the requirement to merely establish and maintain adequate

internal controls; it requires that senior management assess the effectiveness of their internal

controls on an annual basis (IT Governance Institute, 2004).

There is not much literature detailing the INFOSEC implications of the SOX Act.

Furthermore, the literature that does exist generally addresses executive management and senior

IT control professionals’ concerns. To further obscure the INFOSEC implications, the U.S.

Public Company Accounting Oversight Board (PCAOB), which was created by the SOX Act,

indicates that internal control is not one-size-fits-all and the nature and extent of controls greatly

depend on the size and complexity of the organization. Therefore, each organization must

carefully consider the appropriate IT controls for its own circumstances.

22
 To accomplish this, CIOs must now enhance their knowledge of internal controls,

understand their organization’s overall SOX Act compliance plan, and develop specific IT

security compliance plans. Accordingly, CIOs must first assess the current state of their

organization’s IT control environment, and then design the controls necessary to meet the

directives of the SOX Act section 404 (IT Governance Institute, 2004). It should be obvious to

most ISSOs that they will be indirectly involved in this process; therefore, they should be aware

of the SOX Act section 404 requirements in order to provide appropriate advice to their CIO.

There are a number of valuable resources to help ISSOs address the INFOSEC requirements of

the SOX Act, namely the guide issued by the IT Governance Institute (2004), and other

standards that will be discussed later in this paper, such as COBIT© and ISO/IEC 17799.

Gramm-Leach-Bliley Act (GLBA).

In 1999, the U.S. Congress enacted the Gramm-Leach-Bliley Act (GLBA) to reform and

modernize the banking industry. Subtitle A of Title 5 of the GLBA labelled Disclosure on

Nonpublic Personal Information requires the Federal Trade Commission (FTC) to establish

INFOSEC safeguards, for financial institutions, for certain personal information (U.S. Congress,

1999). The FTC issued its final safeguards rule on May 23, 2002. The FTC's safeguards rule

regulates only financial institutions (i.e., businesses that engage in banking, insuring stocks and

bonds, financial advice, and investing) (Federal Trade Commission, 2002).

The objectives of the GLBA safeguards rule are threefold. First, the GLBA aims to

ensure the confidentiality of customers’ information. Second, it aims to protect the integrity of

such information against any anticipated threats or hazards. Finally, the GLBA aims to protect

23
the information against unauthorized access or use which could result in substantial harm or

inconvenience to any customer (Federal Trade Commission, 2002).

Under the GLBA, financial institutions must implement and maintain an INFOSEC

program (including administrative, technical, and physical safeguards) and must demonstrate

compliance with their program. The standard set for establishing a compliance program comes

from Compliance Programs and the Corporate Sentencing Guidelines; Preventing Criminal and

Civil Liability, which says for an organization to have an effective compliance program, the

following seven elements are required: existence of written standards; effective oversight; due

care in delegation of authority; training; monitoring; discipline; and corrective Action (Kaplan,

2000).

The GLBA safeguards rule itself is a very high-level set of general elements that a

financial institution must include in its information security program. The five basic elements of

the GLBA are:

1. Assign security responsibility.

2. Perform a risk assessment on information systems operations including the areas

of security awareness, security technologies and procedures, incident response,
and contingency planning.

3. Design and implement information safeguards to control risks.

4. Oversee the INFOSEC capabilities of service providers.

5. Evaluate and adjust the INFOSEC program on an ongoing basis.

24
 These five elements represent nothing more than information security best practices, but

those financial organizations that fall under the scope of the GLBA must implement them

nonetheless. The positive thing about the safeguards rule is that it provides a framework that

organizations should use to develop, implement, and maintain the required safeguards, but leaves

organizations to use their own discretion to tailor their INFOSEC program to their own

circumstances.

Executive management and CIOs of financial institutions should read the GLBA and

understand its requirements since they are the officers primarily responsible for establishing and

implementing the company’s INFOSEC program. This act gives them the authority, in fact the

mandate, on which to base their program. Certainly the GLBA is not required reading for most

ISSOs since they should already be aware of the five basic elements that the GLBA imposes.

Summary of Government Acts

In Canada, the PIPEDA applies to all private sector organizations that collect, use, or

disclose personal information. The key requirement of this act is the principle of safeguards,

which requires organizations to protect personal information against loss or theft; and safeguard

the information from unauthorized access, use, disclosure, copying, or modification. The

PIPEDA does not prescribe “how to” protect personal information, but it does provide the legal

and authoritative point of reference with which to impose certain safeguards. Therefore, ISSOs

who are involved in the selection and application of appropriate safeguards should be loosely

familiar with the requirements of this act.

25
 In the U.S., the three most relevant acts to INFOSEC professionals are the HIPPA, SOX

Act, and GLBA. First, the HIPAA mandates the protection of electronic health information and

therefore applies to businesses in the health care industry such as health care providers, health

plans, health care clearinghouses, and Medicare prescription drug sponsors. The HIPAA

imposes substantial INFOSEC safeguards on these businesses but, as typical of most acts, does

not describe “how to” implement the necessary safeguards. ISSOs in the health care industry

would be well advised to thoroughly understand the requirements of this act. Therefore, Hash’s

(2005) publication is highly recommended reading.

Second, the U.S. Congress enacted the SOX Act specifically to protect investors by

mandating that certain businesses disclose financial and accounting information. For the

INFOSEC community, section 404 of this act is required reading. This section requires senior

management to assess the effectiveness of their business’s IT control environment on an annual

basis. Therefore, ISSOs should be aware of section 404 requirements, but familiarization with

other sections of the SOX Act is not required.

Finally, the GLBA establishes the safeguards that financial institutions (such as banks,

stocks and bonds dealers, and financial advice firms) must implement to protect their customers’

records and information. Other than directing financial institutions to implement an INFOSEC

program and demonstrate compliance with their program, this act does not introduce anything

new from an INFOSEC perspective. The GLBA simply provides a basic framework that

organizations should use to develop their INFOSEC program, but leaves them to use their own

discretion to tailor the program to their own circumstances. Since most ISSOs should already be

26
familiar with the basic framework that the GLBA suggests, there is no need for them to read this

act.

Rating of Government Acts

The four acts reviewed in this paper represent only those that appear to receive the

greatest share of attention and are generally recognized as important landmarks within the

INFOSEC community. Table 2 presents a summary of their value to ISSOs. Certainly, there are

more acts that have some INFOSEC elements, but the limitations of this paper preclude a review

of them all.

Table 2. Summary of acts and their helpfulness to ISSOs.

Title Helpfulness
Personal Information Protection and Electronic Documents Act (PIPEDA) mn
Health Insurance Portability and Accountability Act (HIPAA) mno
Gramm-Leach-Bliley Act (GLBA) mno
Sarbanes-Oxley Act (SOX Act) mn

27
Chapter 6 - INFOSEC Standards

Information security is no longer solely an in-house issue. An organization’s IT assets

are often widely distributed and linked via the Internet or other communication means such as

dedicated backbones. In addition, many organizations link with multiple partner businesses both

nationally and internationally. This growing interconnectivity is a cause of great concern for

company directors. INFOSEC standards can alleviate much of this concern. From an INFOSEC

perspective, standards are a level of quality that businesses accept as the norm. Standards

provide organizations with some assurance that they have implemented an effective INFOSEC

program and that they can be trusted to adequately protect the information they share with their

business partners.

The important point about standards is that they are not obligatory (like acts are). Rather,

standards achieve their end-state by the fact that they represent the consensus of multiple

organizations. ISSOs should understand this distinction in order not to mislead their CIO. There

is no legal requirement to comply with a standard; however, doing so may be a method of

meeting legal requirements imposed by acts and is definitely a good business practice.

A variety of INFOSEC standards exist ranging from detailed security measures to

high-level frameworks. Frameworks simply present ideas, principles, agreements, or rules that

provide an outline that business can use to fully develop a more detailed program. The following

INFOSEC standards and frameworks represent the most influential security standards within the

INFOSEC community. Therefore, ISSOs should be acquainted with each of them to varying

levels of understanding.

28
 Generally Accepted Principles and Practices for Securing Information Technology Systems

The Generally Accepted Principles and Practices for Securing Information Technology

Systems is one of the earlier INFOSEC guides published by NIST. However, the principles and

practices that this guide recommends are timeless and are as valid today as they were almost ten

years ago when the authors wrote them. This guide contains two distinct sections; therefore, the

target audience depends on which section is of interest.

Senior management and senior INFOSEC professionals should read the chapter that

explains the eight pervasive principles because these principles deal more with creating program

policy or reviewing existing policy. On the other hand, ISSOs (and INFOSEC auditors) should

focus on the fourteen common practices because these practices provide a common baseline of

security requirements (Swanson, 1996).

This guide is definitely a high-level document, which presents generic principles and

practices, making it suitable for organizations of any size, in both private and public sectors. The

objective of this guide is to provide organizations with a common understanding of what they

need to do to secure their IT resources. Despite being ten years old, it remains an important

document because it provides the groundwork for organizations to understand the basic security

requirements that most IT systems should contain.

As the name of this guide implies, the eight principles that this guide prescribes are

generally accepted worldwide (i.e., they are the principles that almost everyone applies when

29
developing or maintaining a system and therefore have become generally accepted). The eight

principles are:

1. Computer security supports the mission of the organization.

2. Computer security is an integral element of sound management.

3. Computer security should be cost effective.

4. System owners have security responsibilities outside their own organizations.

5. Computer security responsibilities and accountability should be made explicit.

6. Computer security requires a comprehensive and integrated approach.

7. Computer security should be periodically reassessed.

8. Computer security is constrained by societal factors (Swanson, 1996).

These eight principles should not require any further explanation to most senior management

officials, and it is really beyond the scope of this paper to do so.

The major focus of this guide (and of greatest interest to ISSOs) is the fourteen practices,

which describe the types of controls, objectives, and procedures of an effective INFOSEC

program. These practices show organizations what they should do to enhance or assess their

current INFOSEC program. They are not comprehensive practices; rather they represent a

baseline standard. Each practice is derived from one or more of the eight generally accepted

principles. Therefore, most organizations should implement all of the practices and augment

them with other practices depending on their needs (Swanson, 1996). A detailed listing of the

specific practices is not practical within the scope of this paper. The important point is that the

practices provide the foundation for a sound INFOSEC program and all ISSOs should

thoroughly familiarize themselves with them.

30
 OECD Guidelines for the Security of Information Systems and Networks

On November 26, 1992, the Organisation for Economic Co-operation and Development

(OECD) published its landmark Guidelines for the Security of Information Systems report. This

report fell out of the need to address the potential threats to information systems that cross

national boundaries. Therefore, a group of experts from 24 OECD member nations gathered to

produce suitable recommendations (Organisation for Economic Co-operation & Development,

1992). Ten years later, the OECD recognized that the use of information systems and network

has dramatically changed from what they wrote about in their 1992 guide.

Therefore, in 2002, the OECD republished their recommendations under a new report

titled Guidelines for the Security of Information Systems and Networks: Towards a Culture of

Security. The aim of this guide is to promote a culture of security; raise awareness of risks; and

promote co-operation in the development of information security policies, practices, and

procedures. The nine principles of the 2002 version include awareness; responsibility; response;

ethics; democracy; risk assessment; security design and implementation; security management;

and reassessment (Organisation for Economic Co-operation & Development, 2002).

The OECD guide provides an ideal forum for nations to agree on very broad principles of

information systems security. However, this guide holds little practical value for ISSOs.

Generally Accepted Information Security Principles (GAISP)

In August 2003, the International Information System Association (ISSA) published

version 3.0 of the Generally Accepted Information Security Principles (GAISP) guide. The

31
GAISP is actually an ongoing project that started out in 1992 as the Generally Accepted Systems

Security Principles (GASSP) - which was discussed in Smith’s (2005) study – in response to the

Computers at Risk report (U. S. National Research Council, 1991). However, under the original

direction of the International Information Security Foundation (IISF), the GASSP did not

achieve the success that it hoped for and subsequently stalled. Therefore, the ISSA has now

taken on the initiative to complete this project and they quickly renamed it, substituting the word

“information” for the word “systems” to reflect that it is really the information that they want to

secure, not the systems themselves (International Information Security Association, 2003).

The objectives of GAISP project are quite broad and quite audacious, namely to collect

and encapsulate the existing body of knowledge, and come to an agreement on what principles

best serve the INFOSEC profession. By doing so, the GAISP foresees that it could ward off the

need for governments to assume control and issue regulations, thereby allowing the INFOSEC

profession to grow internationally and remain a self-regulated profession (International

Information Security Association, 2003). One of the first orders of business for the revitalized

GAISP was to create and publish their own set out generally accepted principles and practices

that would serve as an authoritative foundation of existing works. They envisioned creating

these principles in a higher to lower hierarchical scheme starting at the top with pervasive

principles that describe concepts and governance issues; followed by broad functional principles

that describe what to do; and finally by detailed principles that describes how to implement the

security practices. Version 3.0 of the GAISP provides two parts of this goal – the pervasive and

the broad functional principles.

32
 The target audience for the pervasive principles is executive level management and senior

IT professionals, such as the CIO. The pervasive principles address the three universal goals of

information security, that being confidentiality, integrity, and availability of information. The

nine pervasive principles are directly founded on the same nine principles endorsed and

published by the OECD, so there is no benefit to listing them again here.

The bulk of the GAISP guide is devoted to explaining the 14 broad functional principles.

These principles are derived from, and support, the nine pervasive principles. They are more

detailed, but remain high-level “what to do” statements. Therefore, the target audience remains

more senior IT professionals, such as the CIO.

Unfortunately for ISSOs, the detailed principles are not yet developed. According to the

GAISP, these principles will define “how” to implement the nine pervasive principles and the 14

broad functional principles. Nevertheless, until the detailed principles are developed, the

GAISP, in its current version, holds little value for most ISSOs.

German IT Security Guidelines

The German Federal Office for Information Security (BSI) published the IT Security

Guidelines in 2004 specifically for IT managers and administrators in small and medium size

companies. BSI developed these guidelines in response to the growing statutory requirements

making company directors liable for matters of IT security. Recent legislation in Germany, such

as the German Stock Corporation Act, and the Limited Liability Act makes directors personally

liable and places obligations on senior management to act. Moreover, the Commercial Code

33
places obligations on auditors to check whether businesses accurately present the risks to their IT

systems (Federal Office for Information Security, 2004).

The objective of BSI’s IT Security Guidelines is to present the most important IT security

measures in the areas of organization, infrastructure, and technical security measures (Federal

Office for Information Security, 2004). This concise 48-page guide introduces typical scenarios

of “what not to do,” explains the most common failures to act, and describes 50 essential security

measures. The 50 essential security measures include high-level statements and the detailed

explanations of “how to” implement the prescribed measure. ISSOs will not find this level of

detail in many of the other security standards documents.

The IT Security Guidelines is really the prelude to a much more comprehensive manual

that BSI also publishes. Their IT Baseline Protection Manual claims to be the basis for

establishing a professional INFOSEC program. It contains field-proven security measures that

even organizations implementing the latest technologies can readily implement. In Germany, the

Federal Commissioner for Data Protection recognizes the IT Baseline Protection Manual as the

virtual standard for their country (Federal Office for Information Security, 2004).

The manual itself is quite expansive weighing in at 2,377 pages separated into three

distinct sections: the basic modules, the threats catalogue, and the safeguards catalogue. The

basic modules describe the threat scenarios along with the appropriate safeguards for the various

components, procedures, and IT systems. The threats catalogue further expands on the

information presented in the basic modules by giving much more detailed descriptions of the

34
specific threats. The five basic categories of threats discussed are force majeure; organizational

shortcomings; human failures; technical failures; and deliberate acts. Similarly, the safeguards

catalogue expands on the information presented in the basic modules by giving detailed

descriptions of the specific safeguards. The six categories of safeguards discussed are

infrastructural safeguards; organizational safeguards; personnel safeguards; software and

hardware safeguards; communications safeguards; and contingency planning safeguards.

Of the many INFOSEC documents reviewed in this paper, the IT Baseline Protection

Manual is the clearly most comprehensive work on IT security. ISSOs in any size organization

would benefit from this manual, but more importantly those ISSOs with less experience will find

this manual highly informative and worthy of their investment. It can be downloaded free of

charge from www.bsi.bund.de/gshb.

COBIT©

Under the overall guidance of the IT Governance Institute, research into international

standards, guidelines and best practices led to the development of the Control Objectives for

Information and related Technology (COBIT©). In 2005, the IT Governance Institute released

the fourth edition of COBIT© which was developed by a panel of 40 experts from academia,

government, and various INFOSEC professions, all strongly supported by the Gartner Group and

PricewaterhouseCoopers (IT Governance Institute, 2005).

COBIT© is essentially an IT management framework that describes “what” organizations

need to achieve to exercise adequate management and control over their IT program. Therefore,

35
its target audience is senior level managers who hold security, privacy, and risk responsibilities –

not the typical ISSO. This framework prescribes 34 high-level control objectives each with their

own management guidelines, maturity model, critical success factors, key goal indicators, and

key performance indicators. COBIT© defines a “control objective” as a statement of the desired

result or purpose to be achieved by implementing control procedures (IT Governance Institute,

2005).

The COBIT© framework organizes its 34 control objectives, and their supporting

activities, into four key domains (i.e., a collection of procedures) as follows: plan and organize;

acquire and implement; deliver and support; and monitor and evaluate. The COBIT©

framework, therefore, links IT processes to typical business phases. In other words, business

requirements drive IT processes, which in turn manage IT activities and resources.

However, COBIT© does not provide any detailed practices describing “how” to manage

or implement lower-level aspects of IT. Consider the following example in Figure 1 that is

presented in a similar format as in the COBIT© manual.

36
Figure 1. Example of how COBIT® presents its control objectives.

Process DS5 - Deliver and support

Control Objective - Ensure system security

By focusing on – defining IT security policies, procedures and standards, and

monitoring, detecting, reporting, and resolving security vulnerabilities and incidents.

Is achieved by - (a) understanding security requirements, vulnerabilities, and threats;

(b) managing user identities and authorizations in a standard manner; and (c) testing
security regularly.

And is measured by - (a) number of incidents damaging reputation with the

public; (b) number of systems where security requirements are not met; and (c)
number of violations in segregation of duties.

COBIT© does not specify how organizations are to manage user identities, what standard

manner should be used, how to test security or how regularly. To achieve this level of detail,

COBIT© relies heavily on supporting resources such as the ISO/IEC 17799 standard and the

Information Security Forum’s (ISF) Standard of Good Practice for Information Security. Both

of these documents are discussed later in this paper.

Because COBIT© lacks the level of detail needed for day-to-day security operations, it is

of little value to ISSOs. At best, it may be a suitable compliment to other security documents,

but on its own, it does not provide sufficient guidance for ISSOs.

ISO/IEC 17799 Code of Practice for Information Security Management

In 2005, the International Organization for Standardization [jointly with the International

Electromechanical Commission (ISO/IEC)] published the second edition of their international

standard. The standard’s full title is ISO/IEC 17799 Information Technology Security

37
Techniques – Code of Practice for Information Security Management but is popularly referred to

simply as ISO 17799. This standard establishes the baseline requirements to form an INFOSEC

program in any size or type of organization, both public and private sector (International

Organization for Standardization, & the International Electromechanical Commission, 2005).

The ISO 17799 standard is an internationally recognized guide developed by ISO’s Joint

Technical Committee 1 - Information Technology, Subcommittee 27 – IT Security Techniques

with input from a consortium of companies to meet industry needs. According to ISO’s

directives, to be internationally recognized, a standard requires approval by at least 75 percent of

the national voting bodies. Therefore, this standard represents the consensus of a considerable

body of expertise.

The history of the ISO 17799 standard dates back to 1993 when the Department of Trade

and Industry in the United Kingdom (U.K.) first published their “code of practice.” In 1995, the

British Standards Institute adopted this code of practice and released it in two parts as BS 7799.

In 2000, the ISO took charge of Part 1 of BS 7799 and renamed it to ISO 17799 (Part 2 is

discussed in the next section of this paper). In 2005, the ISO/IEC revised and reissued the

standard to reflect the ever-changing risks, controls, and best practices relevant to INFOSEC

management. The ISO expects to revise this standard again in 2007 to bring it in line with their

new family of standards in the 27000 series (it will likely be issued as ISO 27002) (International

Organization for Standardization, & the International Electromechanical Commission, 2005).

38
 The ISO 17799 standard is a generic advisory document that provides a set of controls

considered to be a good starting point for implementing an INFOSEC program. The

recommended controls are typically based on legislative requirements or common practice

within the INFOSEC community. The standard itself contains 11 security control “clauses.”

Ten of these security clauses were introduced in Chapter 2 – Elements of an INFOSOEC

Program, while the new edition of ISO/IEC 17799 adds the eleventh clause, information security

incident management. The security clauses collectively prescribe a total of 39 main security

categories. Furthermore, each security category provides its own statement of what is to be

achieved (i.e., the control objective), and one or more safeguards that ISSOs can apply to achieve

the control objective (i.e., implementation guidance). In total, the ISO 17799 standard lists 127

individual safeguards that ISSOs could apply. Figure 2 provides an example illustrating how the

ISO 17799 hierarchy works:

39
Figure 2. Example of how ISO 17799 organizes and presents safeguards.

Clause 11 - Access control

Category 11.5 – Operating system access control

Subcategory 11.5.3 – Password management system

Control. Systems for managing passwords should be interactive and should ensure
quality passwords.

Implementation guidance (i.e., safeguards). A password management system should:

(a) enforce the use of individual user IDs and passwords to maintain accountability;
(b) allow users to select and change their own passwords and include confirmation
procedures to allow for input errors; (c) enforce a choice of quality passwords; (d)
enforce password changes; (e) force users to change temporary passwords at the first
log-on; (f) maintain a record of previous user passwords and prevent re-use; (g) not
display passwords on the screen when being entered; (h) store password files
separately from application system data; and (i) store and transmit passwords in
protected (e.g. encrypted or hashed) form.

Other information. Passwords are one of the principal means of validating a user’s
authority to access a computer service.

As demonstrated by this example, the level of detail that the ISO 17799 standard provides

is ideal for ISSOs and it would not be difficult for them to implement such control objectives.

Furthermore, the ISO 17799 is a technology-neutral standard, so ISSOs have enough flexibility

to apply any technology available to implement and achieve the desired control objectives. In

fact, achieving all of the control objectives is not necessary to be compliant with the ISO 17799

standard. The ISO 17799 standard simply requires that organizations select the controls they

require based on their own unique security requirements so long as the risks have been reduced

to an acceptable level (International Organization for Standardization, & the International

Electromechanical Commission, 2005).

40
 While the ISO 17799 standard represents Part 1 of the original BS7799, it is difficult to

separate it from Part 2 of BS 7799, which remains under the influence of the British Standards

Institute. These two parts work in harmony. ISO 17799 provides a compliance framework for

organizations to self-measure whether they have implemented the required standard. This in turn

could lead to certification under BS 7799 Part 2, but this is optional.

Simply complying with ISO 17799 brings a number of benefits to organizations. For

example, the HIPAA security rule emphasizes the same controls as the ISO 17799 standard but

places emphasis on the protection of electronic health information. Therefore, complying with

ISO 17799 is an ideal beginning to achieving compliance under the HIPAA. Furthermore,

certification also has a number of benefits for organizations, such as formally demonstrating to

their business partners that they are compliant with the standard, which in turn assures their

commitment to INFOSEC. ISSOs should understand an important distinction here. Certification

is optional so a company may still comply with ISO 17799 without being certified. Certification

is only possible with BS 7799 Part 2.

The ISO/IEC 17799 standard represents a rigorously structured guide sponsored by the

efforts of a considerable group of experts, and goes a long way to improving INFOSEC in any

size or type of organization. Therefore, ISSOs should thoroughly study this standard and make a

serious commitment to implementing it.

41
 BS 7799-2 Specification for Information Security Management Systems

As noted above, the British Standards Institute published the BS 7799-2 standard in 2002

(Note: at the time of writing this paper the ISO has take over the BS 7799-2 standard and

renamed it ISO 27001, however this paper reviews the original BS 7799-2). The main purpose

of the BS 7799-2 standard is to provide the conditions for INOFSEC management and the

assessment guide for certification. According to the ISO Web site, over 1,800 organizations

have already been certified against BS 7799-2.

It is important that ISSOs understand the relationship of the BS 7799-2 standard to the

ISO 17799 standard. The control objectives and safeguards prescribed by the BS 7799-2

standard are directly derived from those listed in the ISO 17799 standard. Therefore, familiarity

with the ISO 17799 standard is sufficient for most ISSOs.

However, what the BS 7799-2 standard adds, which ISSOs will not find in ISO 17799, is

a process framework (similar to COBIT©). The process framework addresses senior

management’s need to emphasize the importance of (a) understanding business information

security requirements, (b) implementing and operating controls to manage risks, (c) monitoring

and reviewing the performance and effectiveness of the INFOSEC management program, and (d)

improving the INFOSEC program. The process framework is known as “Plan-Do-Check-Act”

(PDCA) (BSI British Standards, 2001).

The “plan” phase ensures that the content and scope for the INFOSEC management

program is correctly established, the security risks are assessed, and a plan is developed to

42
address identified risks. The “do” phase implements the decisions made in the plan phase. The

“check” phase verifies that the safeguards implemented are functioning as intended. The “act”

reviews the implemented security solutions with a view to improving them (BSI British

Standards, 2001).

The PDCA framework also emphasizes synergy with other management systems such as

ISO 9001 (Quality Management Standard) and ISO 14001 (Environmental Management System)

thereby providing a consistent and integrated implementation and operation of management

standards (BSI, British Standards, 2001). In addition, the PDCA model reflects the principles set

by the OECD in their Guidelines for the Security of Information Systems and Networks (BSI,

British Standards, 2001).

Finally, the PDCA model compares nicely with the steps in the GLBA and is an excellent

guide with which to demonstrate compliance to the SOX Act. Therefore, the BS 7799-2

standard is an ideal guide to assess the organization’s ability to meet customer, organization, and

legal requirements. The value of BS 7799-2 standard to ISSOs is similar to that of COBIT©, it

may be a suitable compliment to other security documents, but on its own, it does not provide

sufficient guidance for ISSOs.

Summary of INFOSEC Standards

The growing interconnectivity among multiple businesses has become a cause of great

concern for company directors, bit it can be alleviated by implementing INFOSEC standards.

These standards provide the level of quality that businesses accept as the norm and demonstrate

43
their trustworthiness from an information protection perspective. Standards provide

organizations with a set of INFOSEC rules that they are expected to follow, but not obliged to

(unless they are seeking certification to a standard). Furthermore, they may be acceptable

methods of achieving compliance with regulatory acts. This section has presented seven of the

most commonly accepted INFOSEC standards, which are summarized below.

NIST’s Generally Accepted Principles and Practices for Securing Information

Technology Systems presents principles and practices that are timeless and are as valid today as

they were almost ten years ago when the authors wrote them. Senior management and senior

INFOSEC professionals should understand the eight pervasive principles because these

principles deal more with creating program policy or reviewing existing policy. On the other

hand, ISSOs should focus on the fourteen common practices because these practices provide a

common baseline of security requirements.

The OCED’s Guidelines for the Security of Information Systems and Networks: Towards

a Culture of Security promotes a culture of security; raises awareness of risks; and promotes co-

operation in the development of information security policies, practices, and procedures. Their

nine principles provides an ideal forum for nations to agree on very broad principles of

information systems security. However, this guide holds little practical value for ISSOs.

The Generally Accepted Information Security Principles (GAISP) guide has tried to serve

as an authoritative foundation of existing INFOSEC standards by establishing a higher to lower

hierarchical scheme of pervasive principles, broad functional principles, and detailed principles.

44
Unfortunately for ISSOs, the detailed principles are not yet developed so the GAISP, in its

current version, hold little value for most ISSOs.

Germany’s IT Security Guidelines and their companion IT Baseline Protection Manual

provides IT managers and administrators in small and medium size companies with a

comprehensive means of establishing a professional INFOSEC program. It contains highly

detailed and field-proven security measures that all organizations, even those implementing the

latest technologies, can readily implement. ISSOs will not find this level of detail in many of the

other security standards documents. It is clearly most comprehensive work on IT security and

ISSOs will find this manual highly informative and worthy of their investment.

COBIT© is an IT management framework that describes “what” organizations need to

achieve to exercise adequate management and control over their IT program. Its target audience

is senior level managers who hold security, privacy, and risk responsibilities – not the typical

ISSO. COBIT© does not provide any detailed practices describing “how” to manage or

implement lower-level aspects of IT, rather it relies on complimentary documents such as the

ISO 17799 standard and ISF’s Standard of Good Practice for Information Security to round out

its usefulness. Because COBIT© lacks the level of detail needed for day-to-day security

operations, it is of little value to ISSOs. At best, it may be a suitable compliment to other

security documents, but on its own, it does not provide sufficient guidance for ISSOs.

The ISO 17799 standard is an internationally recognized guide that provides a set of

controls considered to be good enough to implement a solid INFOSEC program. The

45
recommended controls are typically based on legislative requirements or common practices

within the INFOSEC community. Therefore, complying with ISO 17799 brings a number of

benefits to organizations and is an ideal beginning to achieving compliance under the HIPAA.

The level of detail and flexibility that the ISO 17799 standard provides is ideal for ISSOs and it

would not be difficult for them to implement the recommended control objectives. The ISO

17799 standard represents a rigorously structured guide sponsored by the efforts of a

considerable group of experts, and goes a long way to improving INFOSEC in any size or type

of organization. Therefore, ISSOs should thoroughly study this standard and make a serious

commitment to implementing it.

Finally, BS 7799-2 stands as the complementary standard to ISO 17799 and therefore,

familiarity with the ISO 17799 standard is sufficient for most ISSOs. The BS 7799-2 standard

does however, add a process framework (similar to COBIT©) that will be of interest to senior

management. The process framework known as “Plan-Do-Check-Act” (PDCA) compares nicely

with the steps in the GLBA and is an excellent guide with which to demonstrate compliance to

the SOX Act. Perhaps the most important benefit of the BS 7799-2 standards is that it permits

organizations to formally certify that they are compliant with this standard, which undoubtedly

could provide them with a competitive advantage. According to the ISO Web site, over 1,800

organizations have already been certified against BS 7799-2.

Rating of INFOSEC Standards

The seven standards reviewed in this paper represent those standards that have received

consensus among the internationally community, and are generally recognized as important

46
milestones within the INFOSEC community. Table 3 summarizes their value to ISSOs.

Certainly, there are more standards, some of which are identified in Appendix B. However, the

limitations of this paper preclude a review of them all.

Table 3. Summary of INFOSEC standards and their helpfulness to ISSOs.

Title Helpfulness
Generally Accepted Principles and Practices for Securing Information mnop
Technology Systems

OECD Guidelines for the Security of Information Systems and Networks m

Generally Accepted Information Security Principles (GAISP) mno
German IT Security Guidelines mnopqr
COBIT© mn
ISO/IEC 17799 Code of Practice for Information Security Management mnopqr
BS 7799-2 Specification for Information Security Management Systems mnop

47
Chapter 7 - INFOSEC Guidelines and Best Practices

Within the context of INFOSEC, guidelines are advice given to show organizations how

they should do something. While not obligatory, they are widely recognized as suitable and

reliable means of meeting the security requirements of acts and standards. ISSOs can greatly

benefit from reading guidelines because they often result from best practices, which in turn arise

through experience and research. Therefore, guidelines and best practices are often the methods

of the recognized leaders in the INFOSEC community, but have not yet made it to becoming a

standard. These recognized leaders publish guidelines and best practices to ensure a consistent

application of the intended regulation or standard. The following references represent the most

common security guidelines and best practices that have influenced the development of, or have

been derived from, many of the previously discussed acts and standards.

AICPA/CICA Privacy Framework

The American Institute of Certified Public Accountants (AICPA) and the Canadian

Institute of Chartered Accountants (CICA) jointly established an enterprise-wide privacy task

force to examine the role that certified public accountants / chartered accountants (CPAs/CAs)

could play in helping businesses develop and implement privacy programs (American Institute of

Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004).

Their work resulted in the development of a Privacy Framework that they originally published

on November 15, 2003, and later revised on March 22, 2004. The target audience of this

document is CPAs and CAs both in industry and public practice because the task force

concluded that they possess the skills necessary to implement effective privacy practices in any

organization – large or small (American Institute of Certified Public Accountants, Inc. and

48
Canadian Institute of Chartered Accountants, 2004). However, ISSOs will also gain a great deal

of value from reading this document.

This is an important document because it introduces a privacy framework for protecting

personal information, which ISSOs can use to guide and assist them in supporting their

company’s privacy program. Within the context of security objectives, the Privacy Framework

aims to help businesses mitigate privacy risks and comply with privacy laws. ISSOs can use this

framework to demonstrate assurance that their organization is meeting the security and safeguard

components of the PIPEDA. Specifically, the section entitled Trust Services Privacy

Components and Criteria, which provides relevant, objective, complete, and measurable criteria

for evaluating an organization’s INFOSEC safeguards (American Institute of Certified Public

Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004). Of particular

relevance to ISSOs, the security criteria include INFOSEC program procedures and controls

such as:

1. Administrative safeguards. These include conducting periodic risk assessments,

handling security breaches and incidents, preventing unauthorized access,
implementing software patches, and detecting actual and attempted attacks or
intrusions.

2. Technical safeguards. These include implementing logical access controls for

remote access and configuring firewalls.

3. Physical safeguards. These include enforcing physical access controls including

archival and backup methods.

4. Environmental safeguards. These include diminishing the risks of fire, flood, dust,
power failure, and excessive heat and humidity.

49
 This document also uses numerous illustrations and explanations to help ISSOs

understand the criteria and navigate the collage of privacy laws and guidelines. The Privacy

Framework also includes an attachment that cross-references the privacy concepts that are

illustrated in various domestic and international acts and guidelines such as the GLBA, HIPAA,

PIPEDA, and OECD guidelines. While not comprehensive, this cross-reference table may be

valuable to ISSOs who are juggling multiple acts and guidelines in parallel.

ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS)

The main task of the International Organization for Standardization [jointly with the

International Electromechanical Commission (ISO/IEC)] is to prepare and publish international

standards. However, in exceptional circumstances, a technical committee may prepare a

Technical Report when they have information to publish that is different from what is normally

published as an international standard (International Organization for Standardization, & the

International Electromechanical Commission, 1996). The ISO/IEC TR13335 falls into this

category. In 1996, the ISO/IEC’s Joint Technical Committee started working on a series of

technical reports under the general title of Guidelines for the Management of Information

Technology Security (GMITS). Initially the GMITS was envisioned to be only three parts: Part 1

– Concepts and models for IT security, Part 2 – Managing and planning IT security, and Part 3 –

Techniques for the management of IT security, with a note that additional parts may be added in

the future. In 2000, Part 4 – Selection of safeguards was added, followed by Part 5 –

Management guidance on network security in 2001. Together, these five technical reports make

up the GMITS.

50
 The main purpose of these technical reports is to provide guidance on management

aspects of IT security. These reports are not intended to prescribe solutions. Rather, ISSOs are

expected to be able to adapt the information presented in these reports to meet their

organization’s needs. In general terms, these technical reports strive to (a) define and describe

the concepts associated with the management of IT security, (b) identify the relationships

between the management of IT security and management of IT in general, (c) present several

models that explain IT security, and (d) provide general guidance on the management of IT

security. To achieve these lofty goals, the ISO/IEC TR13335 is organized into five parts. Each

of these parts is discussed independently below.

GMITS – Part 1 - Concepts and models for IT security. Published in 1996, Part 1

presents the basic management concepts and models used to describe the management of IT

security and is aimed at IT security managers. However, this knowledge is considered essential

introductory material for all INFOSEC professionals. In only 18 pages, GMITS - Part 1

identifies how higher-level enterprise objectives, strategies, and policies influence the

organization’s security objectives, strategies, and polices. This report discusses the requirements

for the definition of a policy; the identification of roles and responsibilities; systematic risk

management; configuration and change management; contingency and disaster recovery

planning; and selecting and implementing safeguards. Although discussion of these topics is

kept at a very high level (suitable for more senior management), this higher level of

understanding is also suitable for INFOSEC professionals who are just starting out in their

career.

51
 GMITS – Part 1 provides a good overview (i.e., definition) of the major topics typically

associated with the process of managing IT security such as assets, threats, vulnerabilities,

impact, risk, safeguards, residual risk, and constraints. In addition, it describes a number of other

processes that support the ongoing management of IT security. These supporting processes

include configuration management; change management; risk management; risk analysis;

accountability; security awareness; monitoring; and contingency plans and disaster recovery.

Finally, GMITS – Part 1 presents a few models, which graphically demonstrate the relationship

between the various security elements, and how they interrelate with risk management. ISSOs

and IT security managers can use these models to look at security from a threat view,

vulnerability view or impact view (International Organization for Standardization, & the

International Electromechanical Commission, 1996).

GMITS - Part 2 – Managing and planning IT security. Published in 1997, Part 2 is a

short report, consisting of only 14 pages. It discusses subjects essential to the management and

planning aspects of IT security and is relevant to IT security managers or others managers that

make substantial use of IT systems. Part 2 assumes the reader is familiar with the basic concepts

presented in Part 1. This report focuses on high-level issues such as what a sound corporate IT

security policy should address, the basic relationship between different organizational polices

(not just IT security policies), and organizational aspects such as the importance of following a

consistent management approach to IT security throughout the enterprise.

GMITS – Part 2 also provides an overview of the advantages and disadvantages of

various strategic-level risk analysis options. The options discussed include the (a) baseline

52
approach, (b) informal approach, (c) detailed risk analysis approach, and (d) combined approach.

As well, Part 2 introduces a number of security recommendations to reduce the security risks to

an acceptable level. The recommendations cover the selection and implementation of

safeguards, acceptance of risk, development of the system security policy and plan, and

implementation of the security awareness program. Finally, Part 2 provides a very brief mention

of follow-up activities such as maintenance, security compliance, monitoring, and incident

handling (International Organization for Standardization, & the International Electromechanical

Commission, 1997).

GMITS - Part 3 – Techniques for the management of IT security. Published in 1998, Part

3 provides more in-depth information about the security techniques (as opposed to processes)

that are appropriate for IT security managers who are involved in project lifecycles. This report

consists of 47 pages and begins with linkage back to Parts 1 and 2 by reviewing the basic IT

security management processes. Furthermore, it explains how the results of these processes

feedback and impact the various parts of the whole IT security management framework. Part 3

goes into great detail explaining how to implement the “combined approach” to risk management

(this approach was introduced in Part 2 as one of the four strategic options for risk management)

and proposes a methodology-based identification of security needs. This methodology starts

with the identification and valuation of assets and progresses through appropriate activities

including assessing threats, vulnerabilities and risks; identifying and selecting safeguards;

identifying and reviewing constraints; and preparing and implementing the IT system security

policy and plan. Finally, Part 3 includes a number a annexes that provides the outline of an

example corporate IT security policy, strategies for the valuation of assets, a list of possible

53
threat types, examples of common vulnerabilities, and a quantitative method suitable for risk

analysis (International Organization for Standardization, & the International Electromechanical

Commission, 1998).

GMITS - Part 4– Selection of safeguards. Published in 2000, Part 4 provides the process

for the selection of safeguards through the use of baseline models. GMITS – Part 4 is the largest

of the five technical reports filling 61 pages of information describing how to achieve

appropriate protection. This report begins by reviewing the concepts of baseline security and

progresses to describe exactly how to establish the baseline security requirements for an IT

system. To achieve this, GMITS – Part 4 walks the reader through the processes of identifying

the type of system to be protected, identifying the physical and environmental conditions the

systems operates in, and assessing the existing and planned safeguards. Part 4 then classifies the

most typical type of safeguards – including a brief explanation about the protection they provide

- into two broad categories: (a) organizational and physical safeguards, and (b) IT system

specific safeguards.

Organizational and physical safeguards include (a) IT security management and policies,

(b) security compliance checking, (c) incident handling, (d) personnel, (d) operational issues, (e)

business continuity planning, and (f) physical security. Typically these safeguards apply to all IT

systems. System specific safeguards include (a) identification and authentication, (b) logical

access controls and audit, (c) protection against malicious code, (d) network management, and

(e) cryptography. Typically these safeguards are only applied after in-depth consideration of the

organization’s protection needs.

54
 Part 4 describes the process of selecting safeguards according to specific security

concerns and threats. The concerns covered in Part 4 include loss of: confidentiality, integrity,

availability, accountability, authenticity, and reliability. Specific threats are discussed for each

of these concerns. Figure 3 illustrates the typical threats discussed in Part 4 and what concern

they are associated with.

Figure 3. Typical threats to confidentiality, integrity, and availability.

Confidentiality Integrity Availability

Malicious code
Masquerading of user identity
Misrouting and re-routing of messages
Software failure
Unauthorized access to computers, data, services, and applications
Unauthorized access to storage media

Theft Use of unauthorized programmes and data

Eavesdropping
Electromagnetic radiation
Deterioration of storage media
Transmission errors
Supply failure (power, air conditioning)
Maintenance errors
Technical failure
User errors
Non-repudiation Theft
Failure of communication
equipment and services
Fire and water damage
Misuse of resources
Natural disasters
Traffic overloading
Destructive attacks

Many of these same threats are also applicable for accountability, authenticity, and reliability.

55
GMITS – Part 4 concludes with a strategy to determine and apply an organization-wide baseline

level of protection where multiple IT systems are used (International Organization for

Standardization, & the International Electromechanical Commission, 2000).

GMITS - Part 5– Management guidance on network security. Published in 2001, Part 5

provides guidance to IT security managers with respect to networks. This report builds on Part 4

and describes the identification and analysis of the factors that IT security managers should take

into account to establish network security requirements. It does not prescribe the detailed design

or implementation of technical safeguards. ISSOs should refer to more detailed security

references for specific implementation guidance of technology-oriented safeguards. Rather,

GMITS – Part 5 uses three criteria to assist ISSOs with the identification of potential safeguards.

First, ISSOs must consider the different types of network connections such as local area

networks (LAN), metropolitan area networks (MAN), and wide area networks (WAN), and the

protocols and topologies that each type of network uses. Then, ISSOs must consider the

different networking characteristics and the related trust relationships. For example, connections

within a single controlled location of an organization must be viewed differently than

connections between different geographically disparate parts of the same organization such as

regional offices. Similarly, connections with other organizations and connections with the

general public domain must be considered differently. Finally, ISSOs must consider the

potential type of security risk (confidentiality, integrity, availability, etc…) associated with those

network connections and the use of services provided by those connections. By combining the

output from these three criteria, ISSOs will generate a good picture of the potential safeguard

56
areas they need to consider. Part 5 discusses the safeguards that may be required such as

safeguards for remote login, remote systems identification, secure single sign-on, audit trails,

intrusion detection, network security management, security gateways, and virtual private

network (VPN) connections (International Organization for Standardization, & the International

Electromechanical Commission, 2001).

Summary of GMITS Reports. These five technical reports compliment each other nicely

and ideally should be used together; however they are not completely dependant upon each

other. More experienced ISSOs could apply the concepts of one or more of these technical

reports without having all five of them. Together, these reports provide comprehensive guidance

on managing IT security that any size organization could use. However, very small

organizations may find the level of detail in these technical reports overwhelming (Macartney,

2005). However, the level of detail in these reports is perfect for ISSOs and highly relevant to

their day-to-day operations. Therefore, all ISSOs should build the foundation of their subject

matter expertise on these technical reports. Each of these technical reports is short enough that

ISSOs can read them in a few hours or less. Furthermore, ISSOs who are seeking the CISM

qualification will not find any better reference material (Macartney, 2005).

An Introduction to Computer Security: The NIST Handbook

An Introduction to Computer Security is one of NIST’s keystone publications. Published

in 1995, this guide explains important concepts of computer security that apply to hardware,

software, and information. The target audience for this guide is ISSOs within federal

government; however, the concepts in this guide are equally applicable to private sector

57
business. Even though it is now more than 10 years old, the information and concepts that The

NIST Handbook presents are still valid today. In fact, the NIST Handbook is one of three

guidance documents that Macartney’s (2005) study ranked very highly noting that it addresses

many of the respective CISM domain tasks.

This guide provides ISSOs with a thorough overview of a wide variety of computer

security topics – beginning with the opening chapter on the basic elements of computer security

and ending with a case study of a hypothetical computer system. The chapters in between

present more detailed topics in three major sections:

1. Management controls. These are techniques and concerns that management

normally addresses. They include controls that cover security policy, risk
management, system lifecycle, and accreditation issues.

2. Operational controls. These are controls that people implement (as apposed to
computer systems) and they rely on management controls being in place. Typical
controls in this category address issues such as personnel security, incident
handling, education and awareness training, configuration management, and
physical and environmental security.

3. Technical controls. These are the controls that the computer system itself
executes and depends on the safe functioning of the system. Examples of
technical controls include logical access controls, audit trails, and cryptography
(Guttman, 1995).

However, this is not a “how to” guide. It does not provide complete procedures that

ISSOs need to implement the security safeguards. What it does provide is appropriate references

to more detailed articles and books. Furthermore, this guide also discusses the benefits of the

security safeguards and situations in which ISSOs would want to apply them (Guttman, 1995).

Therefore, The NIST Handbook is an outstanding educational guide that will help ISSOs develop

58
a sound approach to the proper selection of safeguards. Without question, this guide should be a

foundation document for all ISSOs.

RFC 2196 Site Security Handbook

A Request for Comments (RFC) is an Internet document that discusses many aspects of

computer communications that focus specifically on networking protocols, procedures,

programs, and concepts; but may also include opinion. The idea of publishing RFCs began in

1969 with the original ARPANET as a means of improving and extending the Internet. Each

RFC is assigned a category or status designation from one of the following categories:

1. Standard, draft standard, or proposed standard. These are standards documents

that define official specifications of the Internet protocol suite under direction of
the Internet Engineering Task Force (IETF).

2. Best current practice. These are official guidelines and recommendations, but not
standards, from the IETF.

3. Informational, experimental. These documents provide information for the

Internet community but do not specify a standard of any kind. Informational
documents may originate in the IETF or may be independent submissions.

4. Historic. These are former standards that are not obsolete, but records are kept for
their historical value.

In September 1997, the Network Working Group published RFC 2196 as an

informational document, on behalf of the Internet Society (ISOC) and the Internet Engineering

Task Force (IETF). This handbook represents the collective work of a large number of

contributing authors and provides ISSOs with practical advice on developing computer security

policies and procedures to protect their critical information assets (Fraser, 1997). RFC 2196

covers a wide variety of topics including security policy content, risk management, network

59
architecture concerns, firewalls, security services, confidentiality, integrity, authentication,

auditing, securing backups, and incident handling.

These topics are not discussed in a technical perspective. Rather, this guide discusses

each of these topics from the viewpoint of policies and procedures that are needed to support the

technical security features that an organization plans to implement. The target audience for this

guide therefore is decision makers such as middle management and the ISSOs that advise them.

Security plans are generally developed according to an accepted five-step approach:

1. Identify what you are trying to protect (i.e., asset evaluation).

2. Determine what you are trying to protect it from (i.e., threats).

3. Determine how likely the threats are (i.e., risks).

4. Implement safeguards to protect your assets in a cost-effective manner.

5. Review the process continuously and make improvements each time you find a
weakness (Fraser, 1997).

RFC 2196 focuses mostly on step four of this process to ensure that the efforts ISSOs expend on

security are in fact cost effective and directed to the highest risks rather than towards less

threatening issues simply because of publicity and media pressure. This approach is based on a

security truism that that cost of protecting the information should be less than the cost of

recovering it if a threat succeeded (Fraser, 1997).

While some of the information is this guide is dated, most of it still remains valid from an

educational perspective. ISSOs can easily transform the recommendations in this guide into a

60
checklist of good security practices and perform a basic audit on the security practices their

organization is implementing. Perhaps the most valuable recommendations this guide provides

comes from the chapter on incident handling, especially the section describing public relations

after an incident has occurred. Overall, the Site Security Handbook provides basic guidance to

ISSOs and, despite being published as only an informational document, contains much value for

less experienced ISSOs.

The Standard of Good Practice for Information Security

The Information Security Forum (ISF) is an international association of over 250 leading

organizations that develops practical research in INFOSEC. The Standard of Good Practice for

Information Security culminates their goal of producing an international benchmark for

information security practices, and is the result of their extensive work over many years.

Published in March 2003, version 4.0 of this guide covers the latest topics in INFOSEC such as

intrusion detection, privacy and security awareness, broadband and wireless connectivity, PDAs,

and computer forensics.

ISF is a membership organization and their reports are normally for the exclusive use of

their members. However, the ISF decided to make this guide available to non-members to

promote good security practices worldwide (Information Security Forum, 2003). In-depth

research and practical experience provides the foundation on which ISF developed this standard.

The standard was first published in 1996 and has been updated every two years to respond to the

needs of leading international organizations, refine areas of best practices, reflect the most up-to-

date thinking in INFOSEC, and include new topics. Therefore, it is a very mature and well-

61
tested standard. In fact, all practices included in the standard are tested to ensure they conform

to ten internationally accepted design and development criteria. These criteria ensure that the

standard (a) covers all key areas, (b) is complete, (c) includes the latest developments and hot

topics, (d) has an easy to understand structure and layout, (e) is clear and unambiguous, (f)

provides sufficient detail to be practical, (g) is applicable to any organization, (h) is achievable in

practice, (i) forms the basis for the measurement of performance, and (j) is easy to use.

Conformity to these ten criteria underpins the process ISF used to develop this standard.

The target audience for this standard is major national and international organizations that

recognize INFOSEC as a key business function. However, it is equally applicable to small and

medium sized companies. Organizations can use this standard to replace or augment their own

standard, integrate parts of the standard into their organization to compliment and strengthen

their level of protection, assess their performance in INFOSEC, support security audits and

reviews, check compliance with industry standards, and provide authoritative reference for

particular initiatives (Information Security Forum, 2003). Although this standard is technology-

neutral, organizations could also use this standard as guidance during the preparation of more

detailed technology-specific standards such as Windows NT or UNIX implementations.

The standard itself is presented in five distinct aspects (described below) that interrelate

to support the business’s key processes. Security management provides the high-level direction

and control needed by the systems development staff so they can develop critical business

applications that will run on the underlying computer installations and networks.

62
 1. Security management. This aspect focuses on the commitment made by top-level
managers to promoting good INFOSEC practices across the enterprise.

2. Critical business applications. This aspect focuses on the security requirements of

the application and the arrangements made for identifying and mitigating risks.

3. Computer installations. This aspect focuses on how the computers are set up and
run to meet identified requirements for computer services.

4. Networks. This aspect focuses on how the network is set up and run to meet
identified requirements for network services.

5. Systems development. This aspect focuses on how businesses identify how their
systems are designed and built (including information security requirements) to
meet business requirements.

In turn, each of these five aspects prescribes areas (i.e., topics) which are broken down

further into sections. In all, there are 30 topics and 132 sections. However, since each aspect is

designed to be complete in its own right, some sections appear in more than one aspect.

Therefore, the standard provides a topics-matrix to cross-reference these overlaps.

Understanding this drill-down layout is the key to applying the standard. Figure 4 illustrates how

the standard organizes and presents information in a drill-down manner.

Figure 4. Example of how ISF’s Standard organizes and presents its security practices.

Aspect CB – Critical Business Applications

Area CB3 – User environment

CB3.2 – Application sign-on process

Principle. Users should be subjected to a rigorous sign-on process before they can
gain access to the application.

Objective. To ensure that only authorized users gain access to the application.

CB3.2.1 There should be a sign-on process that users must follow before they
can gain access to the application, which should enable UserIDs to be
identified individually.

63
 CB3.2.2 Sign-on mechanisms should be configured so that they:

a) Display no identifying details until after sign-on is completed

successfully
b) Warn that only authorized users are permitted access
c) Validate sign-on information only when it has all been entered
d) Limit the number of unsuccessful sign-on attempts
e) Record all successful and unsuccessful sign-on attempts
f) Restrict additional sign-on attempts
g) Limit the duration of any one sign-on session
h) Automatically re-invoke sign-on after interruption of the process,
for example when a connection is broken
i) Advise users – on successful sign-on – of the date/time of their last
successful sign-on and all unsuccessful sign-on attempts since their
most recent successful sign-on
j) Do not store authentication details as clear text in automated
routines, such as in scripts, macros or cache memory
CB3.2.3 The approval of the application “owner” should be obtained before any
important features of the sign-on process are bypassed, disabled or
changed.

As demonstrated by this example, The Standard of Good Practice for Information

Security provides a detailed range of security principles, control objectives, and practices.

However, this standard does provide guidance on how to select appropriate controls to achieve

the recommended practices. Therefore, is requires experienced ISSOs to apply it. Nevertheless,

Appendix B refers ISSOs to other security references that will aide in them in this task. Overall,

this standard is quickly catching on within the INFOSEC community and will likely make its

way to becoming a “standard” in the very near future. ISSOs should consider this one of their

“grass roots” documents within their INFOSEC library.

64
 The CERT® Guide to System and Network Security Practices

The CERT® Coordination Center (CERT/CC) is a research and development center that

is renowned worldwide for its Internet security expertise. Allen (2001) has compiled the security

practices learned by CERT® over many years and published them in her book The CERT®

Guide to System and Networks Security Practices. This book addresses the critical and pervasive

security problems according to CERT’s extensive data on security breaches and vulnerabilities.

The target audience for this book is primarily system administrators while ISSOs are considered

a secondary audience. In fact, this book assumes that readers are familiar with installing

operating systems and the basic concepts of establishing secure configurations, authentication,

access control, and integrity checking. This is a reference book – not a tutorial or instructional

guide on network security. Therefore, less-experienced ISSOs may have some trouble reading

this book.

CERT® uses what they refer to as “security improvement modules” to present 52

security practices that covers 75 to 80 percent of the security incidents reported to them (Allen,

2001). Each module discusses a very specific problem area of network security. The seven

security improvement modules are:

1. Outsourcing managed security services.

2. Securing desktop workstations.

3. Responding to intrusions.

4. Securing network servers.

5. Deploying firewalls.

6. Securing public web servers.

65
 7. Detecting signs of intrusion.

Furthermore, each module contains a series of practices and implementations. Practices

describe the choices and issues that administrators must consider to solve a network security

problem and implementations provide examples of tasks that implement the practices. The 52

practices are presented in the following systematic approach:

1. Harden and secure. This step involves solving known problems by applying
known solutions and consists of 31 of the 52 total practices. For example,
administrators should make appropriate software changes to establish a secure
configuration rather than “out of the box” installation.

2. Prepare. This step involves identifying new problems (i.e., vulnerabilities) and
formulating new solutions. Since not all vulnerabilities are known, administrators
need to be in a position to recognize when these unknown vulnerabilities are
being exploited. Four practices are identified in this step.

3. Detect. This step involves monitoring to detect potential intrusions. Eight

practices are presented in this step. An example of a detection step would be
looking at the logs that the firewall produces.

4. Respond. This step involves responding to intrusions to minimize damage and

aide in recovery. Seven practices are prescribed. An example of a response step
would be collecting and analyzing evidence.

5. Improve. This step involves protecting against future attacks. An example of an

improvement step would be updating policies and procedures based on the
information gathered during detection and response. Two practices are described
(Allen, 2001).

All of these practices are technology independent and checklists at the end of each

chapter make this an easy to implement guide. Although this guide was written with

administrators in mind, ISSOs should seriously consider reading this book simply for the in-

depth configuration settings and practices that are often more familiar to system administrators.

Being conversant with these settings and practices will help ISSOs build a stronger rapport with

their system’s administrator.

66
Summary of INFOSEC Guidelines and Best Practices

Unlike acts (which are obligatory) and standards (which are norms), guidelines are the

methods of the recognized leaders in the INFOSEC community, but have not yet made it to

becoming a standard. They are widely recognized as suitable and reliable means of meeting the

security requirements of acts and standards because they often result from best practices, which

in turn arise through experience and research. This section reviewed six of the most prevalent

guidelines, which are summarized below.

The AICPA/CICA Privacy Framework is an important document because it introduces

guidelines for protecting personal information, which ISSOs can use to support their company’s

privacy program. The Privacy Framework can help businesses mitigate privacy risks and

comply with privacy laws such as PIPEDA. The section titled Trust Services Privacy

Components and Criteria provides relevant, objective, complete, and measurable criteria for

evaluating an organization’s privacy safeguards. Furthermore, the Privacy Framework provides

cross-references to the privacy concepts that are illustrated in various domestic and international

acts and guidelines such as the GLBA, HIPAA, PIPEDA, and OECD guidelines. While not

comprehensive, these cross-references may be valuable to ISSOs who are juggling multiple acts

and guidelines in parallel.

The Guidelines for the Management of IT Security (GMITS) consists of five separate

technical reports that compliment each other nicely to form a complete and comprehensive set of

security guidance. Part 1 presents the basic management concepts and models used to describe

the management of IT security and is aimed at IT security managers. However, this knowledge

67
is considered essential introductory material for all INFOSEC professionals. Part 2 discusses

subjects essential to the management and planning aspects of IT security and is relevant to IT

security managers or other managers that make substantial use of IT systems. Part 2 assumes the

reader is familiar with the basic concepts presented in Part 1. Part 3 provides more in-depth

information about the security techniques (as opposed to processes) that are appropriate for IT

security managers who are involved in project lifecycles. Part 4 provides the process for the

selection of safeguards through the use of baseline models. Part 5 provides guidance to IT

security managers with respect to networks. The level of detail in these reports is perfect for

ISSOs and highly relevant to their day-to-day operations. Therefore, all ISSOs should build the

foundation of their subject matter expertise on these technical reports.

An Introduction to Computer Security: The NIST Handbook is one of NIST’s keystone

publications that explains important concepts of computer security that applies to hardware,

software, and information. ISSOs in both federal government and private sector businesses

would benefit greatly from studying this guide. The NIST Handbook addresses most of domain

tasks that CISM candidates need to know and therefore is an excellent study aide for ISSOs

preparing to seek the CISM qualification. The organization of this guide in its three major

sections of (a) management controls, (b) operational controls, and (c) technical controls

contribute to its effectiveness as a learning aide for ISSOs.

The RFC 2196 Site Security Handbook represents the collective work of a large number

of contributing authors and provides ISSOs with practical advice on developing computer

security policies and procedures to protect their critical information assets. RFC 2196 covers a

68
wide variety of topics from the viewpoint of policies and procedures that are needed to support

the technical security features that their organization plans to implement. Some of these topics

include security policy content, risk management, network architecture concerns, firewalls,

security services, confidentiality, integrity, authentication, auditing, securing backups, and

incident handling. RFC 2196 stresses the need to implement safeguards in a cost effective

manner aimed at the most likely risks that ISSOs may be faced with and is therefore a

moderately valuable document for them to read.

The Standard of Good Practice for Information Security is the result of ISF’s in-depth

research and practical experience over many years. It covers the latest topics in INFOSEC such

as intrusion detection, privacy and security awareness, broadband and wireless connectivity,

PDAs, and computer forensics. The standard is updated every two years to respond to the needs

of leading international organizations, refine areas of best practices, reflect the most up-to-date

thinking in INFOSEC, and include new topics. Therefore, it is a very mature and well-tested

standard. ISSOs can use this standard as a whole or integrate parts of the standard into their

organization to compliment and strengthen their level of protection. Finally, this is a technology-

neutral standard so organizations running Windows NT or UNIX implementations can equally

apply the recommended security practices. Experienced ISSOs will have no difficulty applying

this standard, while less experienced ISSOs will need to augment their knowledge with some of

the references in Appendix B in order to fully benefit from this standard.

The CERT© Guide to System and Network Security Practices addresses the most critical

and pervasive security problems based on extensive data on security breaches and vulnerabilities.

69
However, this is a reference book – not a tutorial or instructional guide on network security so it

may not be suitable for less-experienced ISSOs. Overall, CERT’s seven “security improvement

modules” cover 75 to 80 percent of the security incidents reported to them and they solve very

specific problem areas within network security. Furthermore, the five-step approach that this

guide uses is technology independent and the checklists after each chapter make this guide easy

to follow and implement. Although this book does not cater specifically to the needs of ISSOs

and the level of information presented is sometimes too detailed for their purposes, they still

would benefit significantly from reading this book.

Rating of Guidelines and Best Practices

The six guidelines and best practices reviewed in this paper represent those that have

received considerable attention within the INFOSEC community and are by and large recognized

as important achievements within the INFOSEC community. Table 4 summarizes their value to

ISSOs. Additional guidelines and best practices are referenced in Appendix B; however, the

limitations of this paper preclude a review of them all.

70
Table 4. Summary of INFOSEC guidelines and their helpfulness to ISSOs.

Title Helpfulness
AICPA/CICA Privacy Framework mno
ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS) mnopqr
An Introduction to Computer Security: The NIST Handbook mnopqr
RFC 2196 Site Security Handbook mnop
The Standard of Good Practice for Information Security mnopqr
The CERT© Guide to System and Network Security Practices mnopq

71
 PART III

Chapter 8 - Conclusions

In today’s complex, cross-boundary, electronic business economy, the barrage of

INFOSEC incidents reported by businesses worldwide has generated cause for great concern by

the business leaders, especially the CIO and his key staff, namely the ISSM and ISSO. Business

has become more global and the stakes for not securing the flow of information are particularly

high. This may be a fundamental reason why there is a growing number INFOSEC reports, acts,

standards, and guidelines advising businesses (in some cases directing them) to secure their

critical information assets. This proliferation of security acts, standards, and guidelines exists

because no one agency has prescribed an all-encompassing security standard that satisfies both

national and international business partners. Although governments and private agencies have

already established a significant legislative and regulatory regime around IT security, and there is

already broad consensus on common solutions to IT security, it does not appear to be enough.

Witness the avalanche of information prescribing security measures and practices, which has

grown into a complex web of requirements without any clear linkage among them. Thus, many

businesses find themselves working with a dozen standards in parallel as they cross international

boundaries. Tackling this disarray is the CIO and his team of security experts.

As the CIO’s key advisor, ISSOs might find themselves struggling to maintain their

awareness and working knowledge of all the security-related documents that mandate or

recommend security measures for their business. Therefore, this paper has introduced ISSOs to

17 of the most relevant and commonly accepted security-related documents. In addition, the

72
appendix to this paper refers ISSOs to another 68 security-relevant documents that they may find

useful to expand their knowledge and skills.

As well, the overarching structure of an INFOSEC program was defined so that ISSOs

can understand how the reviewed security references relate to all the other security requirements

and activities they may be involved in. A broad overview of the key responsibilities of ISSOs

and the role they play within the overarching INFOSEC program was presented as background

material, for the less-experienced ISSOs. The review of the literature indicated that other

authors, who have written about the well-known security standards and guidelines, do not agree.

Based on the information presented in this paper, it would not be a difficult deduction to make

that the INFOSEC community will continue to be bombarded with acts, standards, and

guidelines and the ISSO will struggle to keep up.

Overall Rating of Acts, Standards, and Guidelines

Table 5 presents an overall summary of all the acts, standards, and guidelines reviewed in

this paper, which may be useful to ISSOs as a quick reference chart.

73
Table 5. Quick reference to the INFOSEC acts, standards, and guidelines and their helpfulness
to ISSOs.

Title Helpfulness
Personal Information Protection and Electronic Documents Act (PIPEDA) mn
Health Insurance Portability and Accountability Act (HIPAA) mno
Gramm-Leach-Bliley Act (GLBA) mno
Sarbanes-Oxley Act (SOX Act) mn
Generally Accepted Principles and Practices for Securing Information mnop
Technology Systems

OECD Guidelines for the Security of Information Systems and Networks m

Generally Accepted Information Security Principles (GAISP) mno
German IT Security Guidelines mnopqr
COBIT© mn
ISO/IEC 17799 Code of Practice for Information Security Management mnopqr
BS 7799-2 Specification for Information Security Management Systems mnop

AICPA/CICA Privacy Framework mno

ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS) mnopqr
An Introduction to Computer Security: The NIST Handbook mnopqr
RFC 2196 Site Security Handbook mnop
The Standard of Good Practice for Information Security mnopqr
The CERT© Guide to System and Network Security Practices mnopq

74
Chapter 9 - Recommendations for Further Study

The goal of this paper was to introduce ISSOs to the broad range of acts, standards, and

guidelines available to help them protect their organization’s critical information assets. A rough

qualitative assessment was used to describe the helpfulness that ISSOs might expect if they were

to read each of these acts, standards, and guidelines. This qualitative assessment was solely

based on the author’s own knowledge and experience as an ISSO and in no way implies that

these security references would not be of value to other INFOSEC professionals, such as ISSMs

and CIOs. Nor does this qualitative assessment make any comparison between the various acts,

standards, or guidelines to claim that compliance with any one (or more) would be sufficient to

adequately protect an organization’s network. To take the research presented in this paper even

further, it would be helpful to develop a cross-reference map of the principles, objectives,

practices, and procedures of each of the standards and guidelines to discover the overlaps that

exist within many of these documents. Since it is impractical to expect an organization to read

and apply all the references presented in this paper, a cross-reference map would then allow

ISSOs, ISSMs, and CIOs to decide which of the standards or guidelines would be most

appropriate for their organization and would allow them to develop a compliance strategy.

75
 References

Allen, J. H. (2001). The CERT© guide to system and network security practices. Upper Saddle
River, New Jersey: Addison-Wesley.

American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered
Accountants. (2004). AICPA/CICA privacy framework -including the AICPA/CICA trust
services privacy principle criteria (March 22nd ed.). (Original work published
November 15, 2003) Retrieved February 7, 2006, from The American Institute of
Certified Public Accountants Web site:
http://www.aicpa.org/innovation/baas/ewp/privacy_framework.asp

BSI British Standards. (Ed.). (2001, November). BS7799-2 Information security management
part 2 - specification for information security management systems. (Available from BSI
Group, www.bsi-global.com)

BSI British Standards. (Ed.). (2001, November). (Available from BSI Group, www.bsi-
global.com)

Canada. Office of the Privacy Commissioner. (2000). Personal information protection and
electronic documents act [Electronic version]. Ottawa, Canada: Department of Justice of
Canada.

Conner, B., Noonan, T., & Holleyman, R. W. (2003). Information security governance: toward
a framework for action. Retrieved June 10, 2005, from The Business Software Alliance
Web site: http:///www.bsa.org

Federal Office for Information Security. (2004). IT security guidelines: IT baseline protection in
brief. Retrieved March 4, 2005, form the BSI Web site: http://www.bsi.bund.de

Federal Trade Commission. (2002). Standards for safeguarding consumer information: final
rule. In 16 CFR Part 314 (RIN 3084 AA87). Washington, DC: Federal Register Part
VII.

Fraser, B. (Ed.) (1997). RFC 2196: Site security handbook. Retrieved February 7, 2006, from
The Internet Engineering Task Force (IETF) Web site: http://www.ietf.org/rfc

Gallagher, P. R. (1992). A guide to understanding information system security officer

responsibilities for automated information systems. In NCSC-TG-027 Rainbow Series,
Turquoise Book (Library No. S-238,461). Fort George G. Meade, MD: National Security
Agency.

German Chamber of Commerce. (2001). A comparative study of IT security criteria. Retrieved

February 19, 2006, from Initiative D21 Web site: http://www.initiatived21.de/druck/
news/publikationen2002/doc/22_1053502416.pdf

76
Guttman, B., & Roback, E. (1995). An introduction to computer security: the NIST handbook.
NIST special publication 800-12. Retrieved April 5, 2005, from National Institute of
Standards and Technology (NIST) Web site: http://www.csrc.nist.gov/

Hash, J., Bowen, P., Johnson, A., Smith, C. D., & Steinberg, D. I. (2005). An introductory
resource guide for implementing the health insurance portability and accountability act
(HIPAA) security rule. Retrieved April 3, 2005, from National Institute of Standards and
Technology Web site: http:///www.csrc.nist.gov/publications/nistpubs

Information Security Forum. (2003). The standard of good practice for information security (4th
ed.). Retrieved February 7, 2006, from The Information Security Forum (ISF) Web site:
http://www.isfsecuritystandard.com/

International Information Security Association. (2003). Generally accepted information security

principles (Version 3.0). (Original work published 1992) Retrieved June 10, 2004, from
Generally Accepted Information Security Principles Web site: http://www.gaisp.org

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (2005). Code of practice for information security management
(ISO/IEC 17799). New York: American National Standards Institute.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (1996). Information technology guidelines for the management
of IT security – part 1: concepts and models for IT security (ISO/IEC TR 13335-1). New
York: American National Standards Institute.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (1997). Information technology guidelines for the management
of IT security – part 2: managing and planning IT security (ISO/IEC TR 13335-2). New
York: American National Standards Institute.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (1998). Information technology guidelines for the management
of IT security – part 3: techniques for the management of IT security (ISO/IEC TR
13335-3). New York: American National Standards Institute.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (2000). Information technology guidelines for the management
of IT security – part 4: selection of safeguards (ISO/IEC TR 13335-4). New York:
American National Standards Institute.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (2001). Information technology guidelines for the management
of IT security – part 5: management guidance on network security (ISO/IEC TR
13335-5). New York: American National Standards Institute.

IT Governance Institute. (2004). IT control objectives for Sarbanes-Oxley: the importance of IT

in the design, implementation and sustainability of internal control over disclosure and

77
 financial reporting. Retrieved February 1, 2006, from IT Governance Institute Web site:
http:///www.itgi.org

IT Governance Institute. (2006). COBIT© 4.0. Rollings Meadows, IL: IT Governance Institute.

Kaplan, J. M., Murphy, J. E., & Swenson, W. M. (2000). Compliance programs and the
corporate sentencing guidelines, preventing criminal and civil liability. St. Paul,
Minnesota: West Group.

Kovacich, G. L. (2003). The information systems security officer's guide: establishing and
managing an information protection program (2nd ed.). Burlingston, MA: Butterworth
Heinemann.

Macartney, L. A. (2005). Information security harmonization: classification of global guidance.

Rolling Meadows, IL: Information Systems Audit and Control Association.

Organisation for Economic Co-operation, & Development. (1992). Guidelines for the security of
information systems. Retrieved May 12, 2004, from OECD Web site:
http:///www.oecd.org

Organisation for Economic Co-operation, & Development. (2002). Guidelines for the security of
information systems and networks: towards a culture of security. (Original work
published 1992) Retrieved February 12, 2006, from OECD Web site:
http:///www.oecd.org

Pironti, J. P. (2005). Key elements of an information security program. Information Systems

Control Journal, 1.

Rasmussen, G., Trivisani, K., & Pick, C. (2003). The alarming state of security management
practices among organizations world wide (2003 Security Management Index Report).
The Human Firewall Council. Retrieved February 10, 2004, from The Human Firewall
Council Web site: http://humanfirewall.org/

Rasmussen, M. (2005). Revised ISO 17799 boosts information security management relevance.
Retrieved January 15, 2006, from Forrester Research Inc., Web site:
http://www.forrester.com

Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., Rogers, G., et al. (2005).
Recommended security controls for federal information systems. NIST special
publication 800-53. Retrieved June 14, 2005, from National Institute of Standards and
Technology (NIST) Web site: http://www.csrc.nist.gov/

Smith, E. (2005). International codes of practice for information security management (UNISA-
TR-2005-03). South Africa: School of Computing, University of South Africa. Retrieved
February 19, 2006, from School of Computing - UNISA Web site:
http:///osprey.unisa.ac.za/TechnicalReports

78
Swanson, M. (2006). Guide for developing security plans for federal information systems. NIST
special publication 800-18 revision 1. Retrieved February 16, 2006, from National
Institute of Standards and Technology (NIST) Web site: http://www.csrc.nist.gov/

Swanson, M., & Guttman, B. (1996). Generally accepted principles and practices for securing
information technology systems. NIST special publication 800-14. Retrieved July 10,
2005, from National Institute of Standards and Technology (NIST) Web site:
http://www.csrc.nist.gov/

U. S. National Research Council. (1991). Computers at risk: safe computing in the information
age. In Computer Science and Telecommunications Board, Systems Security Study
Committee (Library of Congress Catalog #90-022329). Washington, DC: National
Academy Press.

U.S. Congress. (1999). Gramm-Leach-Bliley act. In Public law 106-102 title V, sec. 509 (113
STAT. 1443). Washington, DC: U.S. Government Printing Office.

U.S. Congress. (2002). Sarbanes-Oxley act of 2002. In Public law 107-204 (116 STAT. 747).
Washington, DC: U.S. Government Printing Office.

U.S. Department of Health, & Human Services. (2003). Health insurance reform: Security
standards; final rule. In Federal Register 45 CFR (Ed.), (CMS-0049-F). Washington,
DC: U.S. Government Printing Office.

Woody, C., & Clinton, L. (2004). Common sense guide to cyber security for small businesses:
recommended actions for information security (1st ed.). Retrieved May 14, 2005, from
The Internet Security Alliance Web site: http://www.isaliance.org/

79
 Appendix A

Glossary of Terms

AICPA/CICA American Institute of Certified Public Accountants / Canadian Institute of

Chartered Accountants

BSI Federal Office for Information Security [German] Bundesamt für Sicheerheit in
der Informationstechnik

CNSS Center for National Security Systems

C&A Certification and Accreditation

CIO Chief Information Officer

CFR Code of Federal Regulations

CERT Computer Emergency Response Team

COBIT© Control Objectives for Information and related Technology

EPHI Electronic Protected Health Information

FIPS Federal Information Processing Standards

FISMA Federal Information Security Management Act of 2002

GAISP Generally Accepted Information Security Principles

GASSP Generally Accepted System Security Principles

GLBA Gramm-Leach-Bliley Act

GMITS Guidelines for the Management of Information Technology Security

HIPAA Health Insurance Portability and Accountability Act

IETF Internet Engineering Task Force

ISF Information Security Forum

IISF International Information Security Foundation

INFOSEC Information Security

ISOC Internet Society

80
ISSA Information Systems Security Association

ISSM Information System Security Manager

ISSO Information System Security Officer

IT Information Technology

ISO/IEC International Organization for Standardization, and the International

Electromechanical Commission

JTC Joint Technical Committee

NCSC National Computer Security Center

NIST National Institute of Standards and Technology

OECD Organization for Economic Co-operation and Development

PDCA Plan-Do-Check-Act

PIPEDA Personal Information and Electronics Documents Act

PKI Public Key Infrastructure

RFC Request for Comments

SOX Sarbanes-Oxley Act

TRA Threat and Risk Assessment

UNISA University of South Africa

VA Vulnerability Assessment

81
 Appendix B

Recommended INFOSEC Resources for Further Reading

1. Threats, risks, and vulnerabilities

Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE®
Approach. Carnegie Mellon Software Engineering Institute. Available from
http://www.cert.org/octave/

Alberts, C.J., & Dorofee, A.J. (2001). OCTAVESM Criteria, Version 2.0. CMU/SEI-2001-
TR-016. Carnegie Mellon Software Engineering Institute. Available from
http://www.cert.org/octave/

Alberts, C.J., Dorofee, A.J., & Allen, J.H. (2001). OCTAVESM Catalog of Practices,
Version 2.0. CMU/SEI-2001-TR-020. Carnegie Mellon Software Engineering
Institute. Available from http://www.cert.org/octave/

Communications Security Establishment (CSE). (1996). A Guide to Risk Assessment and

Safeguard Selection for Information Technology Systems. (MG-3).
http://www.cse.dnd.ca/publications/gov-pubs/itsg/mg3-e.html

Communications Security Establishment (CSE). (1996). Network Security, Analysis and

Implementation. (MG-1). http://www.cse.dnd.ca/publications/gov-pubs/itsg/mg1-
e.html

Communications Security Establishment (CSE). (1999). Threat and Risk Assessment

Working Guide. (ITSG-04). http://www.cse.dnd.ca/publications/gov-
pubs/itsg/itsg04-e.html

Erbschloe, M. (2005). Trojans, Worms, and Spyware: A Computer Security Professional’s

Guide to Malicious Code. Burlington, MA: Elsevier-Butterworth-Heinemann

General Accounting Office. (1999) Information Security Risk Management: Practices of

Leading Organizations. GAO/AIMD-00-33. Available from
http://www.gao.gov/special.pubs/ai00033.pdf#search='GAO%2FAIMD0033'

Hardy, G. (2005). Information Risks: Whose Business Are They? ISBN 1-933284-10-2.
Rollings Meadows, IL: IT Governance Institute.

Nyanchama, M. (2005). Enterprise Vulnerability Management and Its Role in Information

Security. Information Security Management Journal, July/August 2005 Edition.
Available from http://www.infosectoday.com/ISS%200507.htm

Rittinghouse, J.W., & Hancock, W.M. (2003). Cybersecurity Operations Handbook.

Burlington, MA: Elsevier Digital Press.

82
 Royal Canadian Mounted Police (RCMP). (1994). Security Information Publication 5:
Guided to Threat and Risk Assessment for Information Technology. (G2-001).
http://www.rcmp.ca/tsb/pubs/it_sec/index_e.htm

Rubin, A.D. (2001). White-Hat Security Arsenal: Tackling the Threats. New York:
Addison-Wesley.

Szor, P. (2005). The Art of Computer Virus Research and Defense. Symantec Press. Upper
Saddle River, NJ: Addison-Wesley.

U.S. Department of Health & Human Services. (2002). CMS Information Systems Threat
Identification Resource. Version 1.0. Baltimore, MD: Centers for Medicare &
Medicaid Services (CMS). Available from
http://new.cms.hhs.gov/InformationSecurity/70_Guidelines_Tools.asp#TopOfPage

U.S. Department of Health & Human Services. (2003). CMS Information Security Threat
Identification Workbook (TIW) for Major Applications. Version 1.2. Baltimore,
MD: Centers for Medicare & Medicaid Services (CMS). Available from
http://new.cms.hhs.gov/InformationSecurity/70_Guidelines_Tools.asp#TopOfPage

U.S. National Security Agency. (1996). Inference and Aggregation Issues in Secure
Database Management Systems. NCSC Technical Report -005 Volume 1/5. Library
No. S-243,039.

2. Risk management

Communications Security Establishment (CSE). (1996). A Guide to Security Risk

Management for Information Technology Systems. (MG-2).
http://www.cse.dnd.ca/publications/gov-pubs/itsg/mg2-e.html

Microsoft. (2004). The Security Risk Management Guide. Microsoft Solutions for Security
and Security Center of Excellence. Available from
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/defa
ult.mspx

National Institute of Standards and Technology. (2002). Risk Management Guide for
Information Technology Systems. NIST Special Publication 800-30. Available from
Computer Security Division http://csrc.nist.gov/publications/nistpubs/index.html

Queensland Government. (2002). Best Practice Guide: Information Risk Management.

V1.00.00 available from
http://www.iie.qld.gov.au/02_infostand/downloads/riskmanagementbpg.pdf

U.S. Department of Health & Human Services. (2004). CMS Information Security
Acceptable Risk Safeguards (ARS). Version 1.2. Baltimore, MD: Centers for
Medicare & Medicaid Services (CMS). Available from
http://new.cms.hhs.gov/InformationSecurity/70_Guidelines_Tools.asp#TopOfPage

83
3. Certification and accreditation of systems

Common Criteria for Information Technology Security. (2002) CCIMB-99-(031, 032, &
033). Available from
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=2

Common Criteria Methodology for Information Technology Security. (2005) CCMB-2005-

08-04 Version 2.3. Available from
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=2

Communications Security Establishment (CSE). (1996). A Guide to Certification And

Accreditation For Information Technology Systems. (MG-4).
http://www.cse.dnd.ca/publications/gov-pubs/itsg/mg4-e.html

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (2004). Information Technology Security Techniques:
Guide for the Production of Protection Profiles and Security Targets. (ISO/IEC TR
15446). New York: American National Standards Institute.

Ragen, A. (2005). Manager’s Guide to the Common Criteria. Version 1.6. Available from
http://www.alexragen.com

Ross, R., Swanson, M., Stoneburner, G., Katzke, S., & Johnson, A. (2004). Guide for the
Security Certification and Accreditation of Federal Information Systems. NIST
Special Publication 800-37. National Institute of Standards and Technology.
Available from http://csrc.nist.gov/publications/nistpubs/index.html

Swanson, M. (2001). Security Self-Assessment Guide for Information Technology Systems.

NIST Special Publication 800-26. National Institute of Standards and Technology.
Available from http://csrc.nist.gov/publications/nistpubs/index.html

4. Role and responsibilities of INFOSEC professionals

Gentile, M., Collette, R., & August, T. (2006). The CISO Handbook: A Practical Guide to
Securing Your Company. Boca Raton, New York: Auerbach Publications.

U.S. Department of the Navy. (1996). Information Systems Security Officer (ISSO)
Guidebook. NAVSO P-5239-07 Module 07. Available from
http://infosec.nosc.mil/infosec.html/

5. Technology guides

Government of Western Australia. (2004). Incident Response Plan: A Technical Guide to

Aid in Preparing for, Detecting and Responding to Computer Security Incidents.
Perth, WA: Department of the Premier and Cabinet, Office of e-Government.
Available from http://www.egov.dpc.wa.gov.au

84
 Lee, A. (1999). Guideline for Implementing Cryptography in the Federal Government.
NIST Special Publication 800-21. Gaitherburg, MD: National Institute of Standards
and Technology. Available from
http://csrc.nist.gov/publications/nistpubs/index.html

Microsoft Corporation. (2003). Improving Web Application Security: Threats And

Countermeasures. Redmond, WA: Microsoft Press.

Ogletree, T.W. (2000). Practical Firewalls. Indianapolis, Indiana: Que Corporation.

Oppliger, R. (2003). Security Technologies for the World Wide Web. 2nd Edition.
Computer Security Series. Norwood, MA: Artech House Inc.

U.S. Government Accounting Office. (2004). Information Security: Technologies to Secure

Federal Systems. Report to Congressional Requesters. GAO-04-467. Available
from http://www.gao.gov/cgi-bin/getrpt?GAO-04-467.

U.S. National Security Agency. (2002). Information Assurance Technical Framework.

Release 3.1. Available from http://www.iatf.net

Wack, J., Cutler, K., & Pole, J. (2002). Guidelines on Firewalls and Firewall Policy. NIST
Special Publication 800-41. National Institute of Standards and Technology.
Available from http://csrc.nist.gov/publications/nistpubs/index.html

6. Security policies and plans

Greenberg, E. (2003). Mission-Critical Security Planner: When Hackers Won’t Take No for
an Answer - Creating Customized Strategies. Indianapolis, IN: Wiley Publishing,
Inc.

National Institute of Standards and Technology. (2005). Federal Information Processing

Standards 200: Minimum Security Requirements for Federal Information and
Information Systems (INITIAL PUBLIC DRAFT). FIPS PUB 200. Available from
Computer Security Division http://csrc.nist.gov/publications/fips/index.html

National Institute of Standards and Technology. (2005). Recommended Security Controls

for Federal Information Systems. NIST Special Publication 800-53. Available from
Computer Security Division http://csrc.nist.gov/publications/nistpubs/index.html

Treasury Boards of Canada Secretariat. (2004). Operational Security Standard:

Management of Information Technology Security (MITS). http://www.tbs-
sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp

U.S. Department of Health & Human Services. (2004). CMS Information Systems Security
Policy, Standards and Guidelines Handbook (The Handbook). Version 1.2.
Baltimore, MD: Centers for Medicare & Medicaid Services (CMS). Available from
http://new.cms.hhs.gov/InformationSecurity/70_Guidelines_Tools.asp#TopOfPage

85
 Woody, C., & Clinton, L. (2004). Common Sense Guide to Cyber Security for Small
Businesses: Recommended Actions for Information Security. 1st Edition. Internet
Security Alliance. Available from http://www.isalliance.org/

7. Security program management

Caralli, R.A. (2004). The Critical Success Factor Method: Establishing a Foundation for
Enterprise Security Management. CMU/SEI-2004-TR-010. Carnegie Mellon
Software Engineering Institute. Available from
http://sei.cmu.edu/publications/pubweb.html

Information Systems Audit and Control Association (2005). Critical Elements of

Information Security Program Success. http://www.isaca.org

IT Governance Institute, & Office of Government Commerce. (2005). Aligning COBIT®,

ITIL®, and ISO 17799 for Business Benefit: A Management Briefing from ITGI and
OGC. Available from http://www.itgi.org/

IT Governance Institute. (2004). COBIT® Security Baseline: An Information Survival Kit.

ISBN 1-893209-79-2. Rolling Meadows, Illinois: IT Governance Institute.

Paquet, C., & Saxe, W. (2005). The Business Case for Network Security: Advocacy,
Governance, and ROI. Indianapolis, IN: Cisco Press.

U.S. Department of Education – Information Technology Security. (2002). Information

Technology Security Cost Estimation Guide. Available from
http://www.iwar.org.uk/comsec/resources/fasp/ED_IT_Security_Cost_Estimation_G
uide_NIST.doc

U.S. House of Representatives. (2005). Information Security Program Elements with

Supporting Management Metrics. CS1/05-0079. Corporate Information Security
Working Group (CISWG). Available from
www.incits.org/tc_home/CS1/2005docs/cs1050079.pdf

8. Security awareness and education

Information Systems Audit and Control Association. (2005). Implementing a Security

Awareness and Education Program. http://www.isaca.org

Wulgaert, T. (2005). Security Awareness: Best Practices to Secure Your Enterprise.

Available from Information Systems Audit and Control Association
http://www.isaca.org

9. Professional development

Anderson, R. (1993-2003) Securing the U.S. Denfense Information Infrastructure © Rand.

Available from http://www.rand.org/pubs/monograph_reports/MR993/

86
Anderson, R. (2001). Security Engineering: A Guide to Building Dependable Distributed
Systems. New York: Wiley Computer Publishing.

Gupta, A., & Laliberte, S. (2004). Defend I.T. – Security by Example. Boston, MA:
Addison-Wesley.

International Organization for Standardization, & the International Electromechanical

Commission (ISO/IEC). (2002). Information Technology Systems Security
Engineering: Capability Maturity Model (SSE-CMM®). (ISO/IEC 21827). New
York: American National Standards Institute.

Mell, P., Kent, K., & Nusbaum, J. (2005). Guide to Malware Incident Prevention and
Handling. NIST Special Publication 800-83 (DRAFT). National Institute of
Standards and Technology. Available from
http://csrc.nist.gov/publications/nistpubs/index.html

Mitnick, K.D., & Simon, W.L. (2002). The Art of Deception: Controlling the Human
Element of Security. Indianapolis, IN: Wiley Publishing, Inc.

Mitnick, K.D., & Simon, W.L. (2005). The Art of Intrusion: The Real Stories Behind the
Exploits of Hackers, Intruders & Deceivers. Indianapolis, IN: Wiley Publishing, Inc.

Patterson, T. (2005). Mapping Security: The Corporate Security Sourcebook for Today's
Global Economy. Upper Saddle River, New Jersey: Addison-Wesley.

Pfleeger, C.P., and Pfleeger, S.L. (2003). Security in Computing. 3rd Edition. Upper
Saddle River, NJ: Prentice Hall PTR.

Proctor, P.E., & Byrnes, F.C. (2002). The Secured Enterprise: Protecting Your Information
Assets. Upper Saddle River, New Jersey: Prentice Hall PTR

Saltzer, J.H., & Schroeder, .D. (1975). The Protection of Information in Computer Systems.
Invited Paper. Proceedings of the IEEE, 63(9), September 1975. Available from
http://web.mit.edu/Saltzer/www/publications/protection/

Smith, R.E. (2002). Authentication: From Passwords to Public Keys. Upper Saddle River,
NJ: Addison-Wesley.

U.S. Critical Infrastructure Assurance Office (CIAO). (2000). Practices for Securing
Critical Information Assets. Washington, DC: CIAO. Available from
http://www.ciao.gov

Willis, W.H. (Ed). (1979). Security Controls for Computer Systems. Report of Defense
Science Board Task Force on Computer Security. R-609-1. Santa Monica: CA:
RAND

87