Clearing up some misconceptions about SANS 17799:2

There are a lot of misconceptions about the new Information Security Standard SANS 17799:2. Here are a few of the ones that have been floating about. I have tried to explain them in order to help your company decide whether SANS 17799:2 is an appropriate information security standard for your company.

1. “We are confused, and what’s the difference between the ISO 17799, the BSS 17799 and now you’re talking about the SANS 17799?” The BSS or the British standard was the first standard that was then adopted by the International Standards Organisation (ISO) thus making it an international standard. In South Africa, the South African Bureau of Standards (SABS) has adopted the revised version of the British standard and it is now call the South African National standard thus SANS 17799:2. It is a newer version of the ISO Standard, however it is believed that the ISO will be adopting the new version soon.
   
   
   
2. “17799 is an IT (information technology or computer technology) standard”. No this is incorrect, 17799 standard is an information security standard. That means that it encompasses all the IT aspects of the business and also has a far broader application as it encompasses all aspects of information security for business. Thus paper files, business drawing, copyrighted intellectual property and all information assets are protected by the standard. So no its not only an IT standard, but broader than that.
   
   
3. “We have a good firewall, and our systems administrator really knows what he’s doing so we are safe”. This is a very limited view of company’s information security requirements. Technical solutions such as firewalls are merely a small part of the bigger picture of information security. A lot of information security breaches occur as a result of employee negligence or fraud, and the best firewalls and other technology will not stop this.
   
   
4. “We know all our employees, and we are sure none of them would do anything to harm the business”. This may be the case especially in the small business environment but who else has access to your information resources. What about the contractors who fix your computers? What about the auditors who audit your books? What about the subcontractors who clean the office? By following the 17799 Standard, things like third-party access to information processing resources are clearly controlled, and when necessary contracts with such parties are modified to include information security elements.
   
   
5. “We know that information security is important but we sure nobody is really that interested in our information”. By adopting an international and national recognised security standard, you are not only making sure your information is secure, but you are showing best practice should any sort of legal claims be made against you. Thus should the unfortunate occur and your company is being sued for loss of a third parties information or for an employees violation of some other companies intellectual property, you can use the adoption of the standard to show best practice, or that you did the best you could and therefore should not be liable.
   
   
6. “That is all very well, but we do not really see a lot of security risks in our business”. The standard is based upon the risk model that the business decides for itself. If you do not see a lot of risk then you do not need to put in all the controls that are outlined in the standard. You only need to put in place those controls your business feels necessary, bearing in mind the type of business risks that are applicable to your business.
   
   
7. “We have looked at the standard, and it speaks about polices, but that’s ok, we have bought a CD full of policies from the USA”. Using policies from other countries, creates a new risk it itself. These policies have not been drafted with South African law and especially South African labour law in mind. Therefore if push comes to shove it may be the case that they are not in line with South African law and as such will not be applicable. The standard very clearly states that all aspects of it must comply with the local law of the country where the standard is being put into place.
   
   
8. “We have downloaded an Electronic Law Risk Checklist, it said that it would cover us if we follow all its points.”
   By complying with an objective standard, your company can show best practice in the event of legal proceedings happening; you can show objectively you taken all reasonable steps. Merely complying with a checklist of risks will not have as much legal weight as will complying with an international and national recognised standard.
   
   
9. “Speaking of law, that’s okay our company lawyers has sorted all that stuff out”. The law in this area is very specialist, encompassing many elements of e-law, as well as industry specific law in your industry. It is important therefore, and in fact is a recommendation by the standard that when necessary, expert outside opinion or consultants be found who have specialist knowledge in this area.
   
   
10. "So once we have complied to the standard is that it, we don’t need to worry any further?” No, the standard prescribes a constant process of review, update and implementation. This is an ongoing process, which takes into account changes in the nature of business, changes in the nature of security risks to the business and changes in the nature of information security technology. For example, you may have e-mail and Internet usage policies, but do these cover “blogging”? Already a Californian case has come up where an employee’s blog was found to be detrimental to the company and the employee was dismissed. In South Africa, our labour law is a lot more complex than Californian law, and only by having a clear policy that is consistently enforced can a company take action against an employee.