Legislators are setting enforceable standards for particular industries, like the Gramm-Leach-Bliley Act for financial services and the Health Insurance Portability and Accountability Act of 1996 for health care. President Bush's Critical Infrastructure Protection Board is leading efforts to set security standards for government agencies. Businesses, including the major credit card companies, are issuing standards for customers and business partners to follow. And other organizations are creating standards that they hope companies will follow out of the goodness of their hearts, or their pocketbooks. This last category of standards holds the most promise for being fair, functional and widely applicable, and right now it's a buyer's market.

In addition to ISO 17799 and BS 7799, CSOs can lean on a series of papers from the National Institute of Standards and Technology that offer similar advice. In particular, NIST Special Publication 800-14,known as the Generally Accepted Principles and Practices for Securing Information Technology Systems, can help with setting up and managing a security program. But watch out: Although 800-14 is often called a standard, it's not, really. It's a technical report. A guideline.

Meanwhile, the Information Systems SecuritySecurity Association, a nonprofit professional organization based in Oak Creek, Wis., is working on yet another "standard." Committee members hope this one will be to information security what the Financial Accounting Standards Board's Generally Accepted Accounting Principles are to accounting - never mind that GAAP is really only used in America. This standard is currently known as the Generally Accepted Systems Security Principles (GASSP).Using the framework provided by ISO 17799, GASSP aims to offer more specific guidance than such dictates as "a range of controls shall be implemented to achieve and maintain security in networks," but still not delve into the realm of specific products. The committee began its work a decade ago but languished, and it plans to relaunch its efforts this winter with Information Systems Security Administration funding and rename the standard the Generally Accepted Information Security Principles (GAISP). Alles zu Security auf CIO.de

At The George Washington University, Krizi Trivisani, director of system security operations, is partial to the NIST documents but admits that the use of any such standard is limited. "What these standards are trying to do is provide a common basis for organizational security standards, so you have a level of confidence and assurance in your organization," she says. "What they don't tell you is exactly how you're supposed to get that done."

Enter another contender: a bevy of technical standards like those from the Center for Internet Security that explains the best way to configure, say, Windows NT. Clint Kreitner, president and CEO of the nonprofit organization, describes his group's standards as the nitty-gritty ground view, as opposed to the 50,000-foot view.