Abstract: . . .  Personnel Security Physical and Environmental Security Communications and Operations Management Access Control System Development and Maintenance Business Continuity Planning Compliance 36 Control Objectives 127 Controls Sans Auditing Template ISO17799: The world is not enough The standard's flexibility, however, is also its Achilles' heel. Critics say ISO 17799 is too vague and too loosely structured to have any real value. In some cases, they charge, the standard could inadvertently give an organization a false sense of security. Lawrence Walsh, Information Security Magazine Mile Wide and an Inch Deep BSI says 7799 was never intended to be a technical standard. Unlike other security standards--such as the Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria-- ISO 17799 provides a broad, nontechnical framework for protecting information in any form. No certification portion as in PII of BS17799 Meant for any organization: rarely is that possible Rarely attempts to provide guidance in evaluating or understanding existing security measures. Doesn’t discuss pro’s and con’s of different controls No common sense advice (don’t enable all defaults) Expensive and short on methodology Future of ISO17799 Most U.S. public companies will need to seriously manage the security of their information assets Tangible and intangible People, process, technology ISO 17799 compliance will be necessary to play in many markets for U.S. information-intensive businesses ISO 17799 certification will be a discriminator Questions Click to add text  . . .
--3000,1,1500,1668,17311