By Jim Reavis

This tidbit may not rank up there with curing polio or the invention of YouTube, but I think it is pretty significant - you decide.  It hasn’t been announced yet, but folks in DC tell me that NIST (the National Institute for Standards and Technology) is working on a project to map between the ISO (International Organization of Standardization) 27001 certification standard for information security management systems requirements and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.  Folks tell me that the goal of this is to come up with an ISO 27001 certification that is acceptable to the Feds to allow government agencies to comply with the Federal Information Security Management Act (FISMA).

NIST 800-53 is good stuff, in fact I know of several private sector companies who use it as the framework for their information security programs.  The problem with standards are that there are too many of them.  The world changed significantly when we dumped an alphabet soup of networking protocols such as DECnet, OSI, IPX/SPX, Netbeui for just one: the Internet Protocol, or IP.  I don’t see NIST as bailing on all the good work of 800-53, I see them translating it into the flexible format of ISO 27001.  Federal agencies will have a more efficient means of complying with FISMA, and the rest of the world has a stronger ISO 27001 to leverage within their security programs.

Could this be the domino that creates a regulatory standardization chain reaction?  Could ISO 27001 become the default framework for IT auditors, and the way forward for SOX 404 compliance?  Japan has already figured this out, and has roughly 2,000 27001-certified companies as opposed to about 60 in the U.S.  Nothing happens overnight, but replacing security prescriptions inside of regulations with a pointer to international standards will be a great thing.  Businesses will spend less on compliance and more on their business.  Security gaps will be reduced in business-to-business and government-to-business communications.  Perhaps we will all be able to focus on real problems and not so much on the checklists.  

By Paul Kurtz

(Editor’s note: Paul Kurtz, COO of Good Harbor Consulting, LLC, recently testified before multiple House Subcommittees regarding the future of FISMA - The Federal Information Security Management Act. We have published an edited version below, you can also download the full testimony in PDF format)

Click here for complete FISMA Testimony of Paul Kurtz

I am here today to talk about how certain information security developments in the private sector may have an impact on the future of the Federal Information Security Management Act (FISMA) and follow-on information security regulations and controls. FISMA is a good first step in what will surely be a long – and increasingly collaborative – process between the public and private sectors in safeguarding the integrity of the Federal IT infrastructure. However, as timely and well intentioned as FISMA was in 2002, the current law must evolve if it is to be effective in light of new technology and continually emerging threats.

First, I will address the strengths and weaknesses of FISMA as it is currently implemented. Second, I will discuss how changes in the private sector will be a strong factor in how FISMA and general IT security measures within the public sector evolve in coming years. Three specific trends are:

• The need for greater empowerment of federal Chief Information (Security) Officers
• The changing nature of IT and information security
• The global drive towards common security standards

Continue Reading »

Industry leaders join Neupart’s management team, advisory board and launch educational series

By Jim Reavis (Shameless plug, but hey, it’s MY site - let me know if you want to get involved)

Seattle, WA and Copenhagen, Denmark – June 12, 2007 – Neupart A/S, an industry leading information security risk management and awareness company, today announced the expansion of North American operations and the formation of Neupart Inc, based in the Seattle, Washington metropolitan area.  The business expansion is being fueled by a growing market for security policy automation, standardization and compliance management tools, as well as by an increasing customer demand for security awareness, notification and education solutions that can be customized to meet client requirements.  Neupart’s expansion coincides with the recruitment of several industry experts and leaders to the Neupart team in the U.S.
Continue Reading »

Standards Bodies

ISO - Home of the 27000 Series of standards

BSI Information Security Management Home Page

Useful Resources

NoticeBored - Great site run by Gary Hinson with a lot of relevant resources

ISO 27001 Informational Site - Not official, but kept current

ISO27001 Discussion Forum

ISO27001: Today and Tomorrow (Webcast)

Neupart ISO 27001 & Compliance Survey

ISO 27001: In the News

By Jim Reavis

Neupart A/S sponsored an online survey of ISO 27001 and regulatory compliance trends in March and April of 2007.  Among the key findings were the following:

• 31% of organizations have more than 10 significant security-related regulations to comply with.
• The top regulatory area for spending in 2007-2008 is still anticipated to be Sarbanes Oxley.
• ISO 17799 is embedded in 85% of information security management systems to varying degrees.
• An equal percentage of respondents (35%) viewed the top reasons for ISO 27001 certification as asserting trust to business partners as well as a proxy for regulatory compliance.

The survey can be downloaded here.

By Jim Reavis

I want to interrupt RiskBloggers’ normal programming for a short survey.  I am working closely with Neupart, a leading information security awareness, risk and compliance management solutions provider to lead their launch in the U.S.

Please help us gather important data about information security compliance trends and be automatically entered to win a Microsoft 30GB Zune or an Apple 30GB Video iPod.

This short survey contains only eight questions and will take just a few minutes to complete, but will help us gauge the industry’s progress towards adoption of ISO standards and understand your priorities for security compliance.

You initiate the survey by clicking this Internet link:

http://survey.enalyzer.com/?pid=t2ggabba

If you are interested in learning more about Neupart and our SecureAware solutions suite, please check out our website at http://www.neupart.com/.

You are now returned to your normal programming.