ISO17799.PDFVIP

N ovembe r /Decembe r 2006 ? T he I n f o r ma t i o n Managemen t J ou r na l 43 retexting. Zero Day Attacks. SQL Injections. Bots and Botnets. Insider Infractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptops and Handhelds. According to Ted Humphreys, in a recent International Organization for Standardization (ISO) press release, “It is estimated that intentional attacks on information systems are costing businesses world- wide around $15 billion each year and the cost is rising.” Today’s information professionals need to address an ever-increasing number of internal and external threats to their systems’ stability and security, while maintaining access to critical information systems. As the e-commerce space continues to grow and new tools allow organizations to conduct more business online, they must have controls in place to curtail cyber crimes’ malicious mayhem, tampering, and wrongdoing. Organizations need to address information security from legal, operational, and compliance perspectives. The risk of improper use and inadequate documentation abounds, and the penalties are greater than ever. By combining best practices outlined in the international standard ISO/IEC 17799 Information Technology – Security Techniques – Code of Practice for Information Security Management (ISO 17799) with electronic records management processes and principles, organizations can address their legal and compliance objectives. This article explores the opportunity to bridge the At the Core This article Describes the components of ISO 17799 and provides a step-by-step method for using it as the frame- work for an information security program Tells how organizations can use ISO 17799 in conjunction with their electronic records manage- ment processes and principles to address legal and compliance objectives Discusses data loss reporting issues P Organizations can use ISO 17799 as a model for creating information security policies and procedures, assigning roles