ISO 17799 for SOX Requires Security, Mindset Changes

“I wouldn’t hazard a guess on percentages, but there’s a high level of interest at the CIO level in 17799,” agreed Troy Smith, senior vice president of Marsh USA, the consulting arm of insurance broker Marsh, Inc.

However, as is the case with virtually all large-scale projects, complying with SOX using 17799 can be difficult and expensive.

For large companies Higgins estimates the cost of implementing 17799 would likely run in the low six figures and that would be for companies with a strong security infrastructure to begin with. Much of that cost will be related to documentation, but some expense will come from, as Higgins put it, “interpolating the standard.”

“The IT world has moved on since the standard was developed,” he said. “So, for example, you may need to interpolate where the security perimeter actually ends. Is it the home network of a road warrior?”

In broad terms, the 17799 standard covers areas such as:

  • Physical security, such as physical placement of equipment and locks on doors;
  • Personnel security, such as background checks of sensitive employees;
  • Access controls;
  • The enterprise’s security organization, including who manages security and how the commitment to security is structured;
  • Security policies and documentation of management direction; and
  • Business continuity provisions.
  • Like most such efforts, where you are at security-wise will determine how far you have to go but ultimately, to be successful, buy-in from all employees is required. This means creating a culture of security, not just implementing security products, said Earl Crane, a senior consultant with Foundstone, a security products and services provider.

    “Firewalls do nothing if somebody’s setting up a rogue (wireless) access point,” Crane said. “You need to create a mindset of security to correct those problems and that’s a management issue.”