JUST A couple of years ago, when someone asked how comprehensive Vanguard's information security program was, the answer would have been predictably reassuring but vague: "We're fine; nothing's happened." And for an investment company that manages $560 billion in assets, that just wasn't good enough.
"The chairman wants to see progression - what's getting better, what worries us," says Jim Hyatt, who oversees information security and contingency services for The Vanguard Group. Vanguard's way of getting there? By following ISO 17799, a non technical document from the International Organization for Standardization that's the closest thing the information security world has to a golden rule-book of management.
Based on the British Standards Institute's BS 7799, from which it's almost indistinguishable, ISO 17799 should have a place on every insomniac's bedside table. This yawner of a document has close to 70 pages of flatly written advice for managers about how to approach, implement and monitor a security program. Widely used in the United Kingdom, it has been mostly snubbed in the United States as a flawed document that's the next worst thing to regulation. Yet, as a few U.S. companies are discovering, ISO 17799 can be an effective way to communicate to stakeholders that a company is working toward a set of security best practices recognized around the world.
At Vanguard, the process started as every fledgling CSO dreams it will. The top brass declared information security a top priority, yanked it out of the information technology department and gave the new group the go-ahead to start using ISO 17799. Information security, working closely with IT, the internal audit department and senior management of each business division, started tackling the document in late 2001. Each of the 30 categories, including software development, telecommunications structure, remote access and employee awareness, was assigned an owner, who worked with someone from both information security and internal audit to assess how comfortable the company was with that aspect of security. Then the three-person team began rating the category a red, yellow or green: green for areas at or near industry leadership, yellow for items that could be improved, and red for items that needed immediate attention.
Jim Hyatt, The Vanguard Group: In the past, information security "did spot-fixes here and there, as opposed to having a cohesive plan." The results were compiled onto one of Vanguard's "dashboards" - one-page documents that managers across the company use every week to set their direction. Now, when a new computer virus hits, the category for virus, Web and e-mail controls are rated red until new filters are installed. Suddenly, information security works like the rest of the business.
"This framework allows my security team to let everyone else see what's going on," says Hyatt, a jack-of-all-trades who has been at Vanguard 23 years and counting. "It's very effective for getting action: Here's something you own; it's red. You rarely get, 'I'm too busy.' It's also a great tool to monitor progress and helps my group prioritize what to look at. In the past, information security would rush to address anything that audit may have found, and so you did spot-fixes here and there, as opposed to having a nice, cohesive plan."
If it sounds as if ISO 17799 was the answer to Vanguard's security management, there's just one catch. Vanguard isn't really following the standard. Some of the categories don't apply and were thrown out. Other areas were reworded, or "Vanguard-ized," as Hyatt puts it. For instance, the IT department at Vanguard is split into application development and technical operations; likewise, some of the ISO categories had to be split in two. "We'd change the standards to fit the organization as opposed to making the organization fit the standard," Hyatt says. His justification is sound: "If we don't get something in place that fits within the organization, then it's not sustainable. This felt more like guidance as opposed to rules."
Not that it would matter if Vanguard wanted to salute every word of the standard. ISO doesn't offer certification for 17799 as it does for other standards. There just isn't support for a standard precise enough to measure compliance. The question is, if individual companies modify ISO 17799 to make it work, and if there's no way to be certified, then what's so "standard" about it anyway?
In theory, standards are the key to making information security a mature discipline. In reality, standards are still the greatest thing that never happened to security management. And in the future, a real, certifiable standard would, could - and probably will - be the key to the board-level credibility that information security desperately needs. It's up to CSOs as to whether that day comes sooner rather than later, and whether they'll be able to shape the standard into one that really works.
Standard Politics
CSOs looking for a set of standards to follow will have no problem finding one. That's the problem. "People are confused about which they should be using, big-time," says Steve Crutchley, CSO and cofounder of 4FrontSecurity, a startup consultancy based in Reston, Va.
Legislators are setting enforceable standards for particular industries, like the Gramm-Leach-Bliley Act for financial services and the Health Insurance Portability and Accountability Act of 1996 for health care. President Bush's Critical Infrastructure Protection Board is leading efforts to set security standards for government agencies. Businesses, including the major credit card companies, are issuing standards for customers and business partners to follow. And other organizations are creating standards that they hope companies will follow out of the goodness of their hearts, or their pocketbooks. This last category of standards holds the most promise for being fair, functional and widely applicable, and right now it's a buyer's market.
In addition to ISO 17799 and BS 7799, CSOs can lean on a series of papers from the National Institute of Standards and Technology that offer similar advice. In particular, NIST Special Publication 800-14,known as the Generally Accepted Principles and Practices for Securing Information Technology Systems, can help with setting up and managing a security program. But watch out: Although 800-14 is often called a standard, it's not, really. It's a technical report. A guideline.
Meanwhile, the Information Systems Security Association, a nonprofit professional organization based in Oak Creek, Wis., is working on yet another "standard." Committee members hope this one will be to information security what the Financial Accounting Standards Board's Generally Accepted Accounting Principles are to accounting - never mind that GAAP is really only used in America. This standard is currently known as the Generally Accepted Systems Security Principles (GASSP).Using the framework provided by ISO 17799, GASSP aims to offer more specific guidance than such dictates as "a range of controls shall be implemented to achieve and maintain security in networks," but still not delve into the realm of specific products. The committee began its work a decade ago but languished, and it plans to relaunch its efforts this winter with Information Systems Security Administration funding and rename the standard the Generally Accepted Information Security Principles (GAISP).
At The George Washington University, Krizi Trivisani, director of system security operations, is partial to the NIST documents but admits that the use of any such standard is limited. "What these standards are trying to do is provide a common basis for organizational security standards, so you have a level of confidence and assurance in your organization," she says. "What they don't tell you is exactly how you're supposed to get that done."
Enter another contender: a bevy of technical standards like those from the Center for Internet Security that explains the best way to configure, say, Windows NT. Clint Kreitner, president and CEO of the nonprofit organization, describes his group's standards as the nitty-gritty ground view, as opposed to the 50,000-foot view.
"There's a continuum of information security standards that goes all the way from the level of generality that a board of directors should deal with, down to the level for enterprise management, to operating divisions, all the way down to the detailed operational steps that one has to take to configure firewalls, routers and so on," Kreitner says. "But the continuum tends to be broken. It's a series of perspectives that are not generally connected."
Ready or Not, Here They Come
For security management, at least, the ISO 17799 standard is the one most widely accepted. That's not saying much. In fact, the best measure of its success may be that other standards bodies are trying to compete with the ISO specifications without explicitly contradicting them. Widely used in the United Kingdom and Pacific Rim, ISO 17799 still hasn't gained traction in the United States. A users group (www.xisec.com) lists just three organizations in the United States that have been certified by the British Standards Institute as being BS 7799 compliant. And even its biggest American boosters admit that it's flawed. "It's not perfect," says Giga Information Group Research Director Michael Rasmussen, "but it's the most widely adopted. You can follow other best practices, but this puts everything together in one spot, and it's internationally recognized. Wherever I go, people are asking about it."
Nevertheless, 17799 was born of the Geneva, Switzerland-based ISO with marks against it. Fast-tracked through the approval process in August2000, ISO 17799 had the support of many small countries but only one of the large G7 nations - the United Kingdom, where it was born as BS7799. Canada already had its own competing standard. So did Germany. So, of course, did the United States, with the NIST publications. None of the large countries wanted to throw its weight behind a competing standard. Critics charged that ISO 17799 was passed too hastily, written unevenly and lacked sufficient guidance - that it told managers what to do without telling them how to do it.
At First Data, one subsidiary that deals with global Internet commerce had a Big Five consultancy audit it against the ISO requirements, says CISO Phil Mellinger. Mellinger, who is trying to make the company's security requirements ISO-compatible, says the document itself just wouldn't work for most of the $7.6 billion Denver-based financial services company. "We see it as sort of an outline of what a business should address, but it's not detailed enough or specific enough for our business," he says. "You know how it is when you write documents through consensus."
Opponents also said that the document made it seem as if security were just a list of to-dos, rather than an ongoing process. The solution was a rather superficial one. All the checklist-type material was placed in an appendix at the back of the document. And that didn't address the most fundamental criticism of all: That ISO 17799 shouldn't be a standard, only a technical report.
"When the U.K. brought BS 7799 to ISO, many international bodies would have been very agreeable to having that document become a technical report as opposed to a standard," says Alicia Clay, program manager for information security outreach with NIST, who is a representative on the committee that edits ISO 17799. "The expectation of a technical report is that it's more of a guideline. ISO 17799 reads more like a technical report, but technical reports tend not to carry the same kind of weight. People don't generally talk about conformance to reports."
The thing is, they don't talk about conformance to ISO 17799 either. Because of subtle differences in wording between the documents, companies can be certified against BS 7799 but not ISO 17799.Consultancies that offer ISO 17799 validation and certification have, by necessity, altered the standard or opted to use BS 7799 instead. Thus, practices are based on ISO 17799 - which tells companies they "should" take certain actions, rather than BS 7799, which says they "shall" do things - but not compliant with it. "Normally for a standard, you would say, A company shall do this and shall do that," Clay says. "It's really clear. You're conforming to a standard [like BS 7799] if you're conforming to the 'shall' statements. You may hear people say that they're 'complying' with 17799. They aren't, really, unless they're changing all those 'shoulds' to 'shalls."
When asked why the standard is set up that way, Clay lets out a long chuckle. "That," she answers, "is the question that is much debated." In fact, an ISO committee that is revising the standard again - it's common for new standards to undergo continual revision - will meet in Quebec in April, and one of the questions on the table is whether IS should develop a standard that could support a certification system.
Clay doesn't want to put herself in one camp or the other, but the U.S. attitude toward ISO 17799 tends to be one of resignation. "One of the reasons why the U.S. is so actively working on it is so that, if something does come of it, it's something U.S. business can live with," Clay says. "Whether we were ready for it or not, we now have a standard. It starts to be a good thing that 17799 is not definitive because then it would be more difficult to work with."
In the paranoid security world, even an accepted certification system would hardly inspire the kind of proud "ISO 9000 Certified" banners that hang from manufacturing plants across the country. But it would make the standard, well, a bit more standard.
Same Beginning, Same End
In the meantime, those who have studied all the standards say that it might not matter so much which one companies choose - just that they pick a set of best practices and try to follow them. "You pay your money, and you take your choice," says 4FrontSecurity's Crutchley (who, just for the record, is a Brit who's a certified BS 7799 auditor). "They all have the same beginning and the same end. You always end up with the best practices. It's just the way they're being approached. Pick one, and work with it."
Not that it will be the most exciting thing you ever do. Far from it. "It's a boring job to do this, to be quite honest," Crutchley warns. "Unbelievably boring."
It's also a lot of work - at least that's what Chris Zoladz, vice president of information protection at Marriott, discovered when he started using ISO 17799. "It's very inclusive, very comprehensive, and it can at first be overwhelming because of the size and number of areas that are covered," he says.
To cope, Zoladz created a document based on the structure of ISO 17799 and then added in the details as best he could. Next, he distributed pieces of the document to different people in the business who had expertise in a particular area, like sales or physical security. Once he got answers back, he created a master document that he distributed to the group for further feedback. Now, the document gets reviewed and updated once a year to help him set priorities.
The end result, Zoladz admits, isn't so different from what he might have gotten by following any list of best practices. The ISO label just made it a little easier for him to get others to participate.
"Unlike maybe what you might get from one of the consultancies - which I'm sure is fine and very useful - the BS or ISO is recognized, it's known, it's objective," Zoladz says. "People didn't come out and say this, but I sensed that by being able to say this is a well-recognized standard - immediately there was an acceptance - as opposed to if I would have said, Hey, this is consulting firm ABC's best practices. There might have been more discussion about, how did they come up with these, or look what I just got in the mail from consulting firm D."
"Third-party credibility and objective reasons why something needs to be done are important, and standards are sometimes looked at as a way to do that," says Larry Dietz, director of market intelligence at Symantec. "Ever seen the Wizard of Oz? What was the scarecrow's problem? He didn't have a brain. And how did the wizard solve the problem? He gave him a diploma that said he was smart."