Previous approaches to information security involved antiquated mechanisms of securing data that were not driven by policies, nor could they be properly audited.
So said Allen Baranov, security analyst at South African Breweries, who spoke at the ITWeb Security Summit in Sandton, on Tuesday.
“Auditors like to look at a list and check off items to make sure everything is fine. When they find a problem, they highlight that issue.”
Baranov posed the question: “What are the boxes, and what do you need to do to get the tick?”
His answer: auditors will tell companies what they need to do. “ISACA is an organisation that released both the Certified Information Systems Auditor (CISA) and COBIT, which introduced a nice way of checking that all your computer systems are working.”
Baranov provided a brief detail of some of the standards available to organisations. He said the British Standard 7799, the first to be adopted, introduced a list of controls. Through the British Standard 7799-2, a way of managing the list of controls was introduced, he added.
“This was subsequently adopted by the International Organisation of Standards.”
He also mentioned the US standards group, NIST, which usually provides standards for US government agencies. He noted NIST is good for deploying specific technologies, like wireless standards, or security standards for desktop and servers.
He noted that COBIT allows organisations to add their own controls to the standard. “The nice thing about COBIT is that it doesn't tell you how to do it, it only tells you whether it is effective or not. It is up to the auditors to decide how they are going to measure the effectiveness.”
Baranov explained that it's possible to attach the ISO standard to the COBIT controls that are being used by a company, allowing it to see how the ISO standard recommends a situation should be dealt with. “ISO standards can be used to fill in the gaps.”
He added that ISO gives companies guidance on how to implement their security controls. “You can choose to do it or choose not to - you are in control.” Companies should look at the problem, and place controls into the problem to ensure it won't happen again, he said.
“Look at each standard and choose the best ones. This allows you to focus and build a roadmap of how the standards will be used.”
Share