Abstract: . . .  Software Productivity Consortium NFP, Inc. 25 How SPC Helps its Members • We teach BSI’s 5-day security courses – ISO 17799 : Implementing Information Security Management Systems – BS 7799-2: Auditing Information Security Management Systems • Support evaluation of candidate certification bodies • Help develop required analysis and documentation • Assess compliance using gap analysis between “ideal model” and current implementation • Plan for and review remedial actions • Conduct shadow certification audits Copyright © 2003, Software Productivity Consortium NFP, Inc. 26 Consortium Membership Page 14 Page 14 Copyright © 2003, Software Productivity Consortium NFP, Inc. 27 Acronyms BS BSI CEO FERPA HIPAA IRCA ISMS ISO RAB ROC . . .
. . .  compliance using gap analysis between “ideal model” and current implementation • Plan for and review remedial actions • Conduct shadow certification audits Copyright © 2003, Software Productivity Consortium NFP, Inc. 26 Consortium Membership Page 14 Page 14 Copyright © 2003, Software Productivity Consortium NFP, Inc. 27 Acronyms BS BSI CEO FERPA HIPAA IRCA ISMS ISO RAB ROC SPC UAE UK UKAS US British Standard British Standards Institution Chief Executive Officer Family Educational Rights and Privacy Act Health Information Portability and Accountability Act International Register of Certificated Auditors Information Security Management System International Standards Organization Registrar Accreditation Board Republic of China . . .
. . .  http://www.csoonline.com/read/030103/lite.html • Purchase standards – http://webstore.ansi.org/ansidocstore/product.asp?sku= ISO /IEC+1 7799:2000 – http://www.ceem.com/infosecurity_standards.asp • Auditor certification – http://www.irca.org/home.html Page 13 Page 13 Copyright © 2003, Software Productivity Consortium NFP, Inc. 25 How SPC Helps its Members • We teach BSI’s 5-day security courses – ISO 17799 : Implementing Information Security Management Systems – BS 7799-2: Auditing Information Security Management Systems • Support evaluation of candidate certification bodies • Help develop required analysis and documentation • Assess compliance using gap analysis between “ideal model” and current implementation • Plan for and review remedial actions • Conduct . . .
. . .  responsibilities for all stakeholders – Provide a platform for staged roll-out across the organization • Competitive advantages – Certification is a discriminator – Improve asset/resource management – Privacy legislation (e.g., HIPAA and Gramm-Leach-Bliley Act) • Corporate governance – Management due diligence – Trading partner agreements – Government procurements citing “best practices” in information security Independent certification provides an unbiased endorsement of management due diligence Copyright © 2003, Software Productivity Consortium NFP, Inc. 12 Certification Process • Implementation • Certification – Stage 1: Documentation review – Stage 2: Implementation audit – Lead Auditor’s recommendation to certify – Certificate . . .
--2911,4,364,3239,14555