Enterprise Security Management Practices ◾ 31
© 2011 by Taylor & Francis Group, LLC
and processes in the form of lectures, whitepapers, standards, and guidelines.
ISSMPs would be irresponsible not to leverage this experience. In fact, the previ-
ously documented standards and guidelines provide great resources that ISSMPs
can use to begin to tailor their security programs. Additionally, where conformance
to laws and regulations is required, it is mandatory for ISSMPs to use them as a
foundation for their programs, but modify them for their specic organization’s
environment and requirements.
So, what are these standards and guidelines, and how does the ISSMP use them to
build the policies and other components of the enterprise system security framework?
Standards and Guidelines
First let’s dene the terms. Standards are mandatory, i.e., they must be followed,
and guidelines are provided as suggestions. In a lot of cases organizations publish
standards to state an overall mandatory requirement and then publish more exible
guidelines on how the requirement can be satised. is allows for more exibility
in how the standard will be complied with at the organization or system level.
ere are two sets of standards and guidelines: external and internal. e exter-
nal ones are created by organizations such as government and nonprot groups, e.g.,
the National Institute of Standards and Technology (NIST) and the International
Organization for Standardization and International Electrotechnical Commission
(ISO/IEC). External standards and guidelines are usually driven by regulatory,
professional, or business demands.
NIST was directed by the U.S. Congress to develop and issue standards and
guidelines for government organizations and those working with the government.
NIST is well known for its 800 series of Special Publications (SPs) and its manda-
tory Federal Information Processing Standards (FIPS) related to all aspects of IT
security, which can be found at http://csrc.nist.gov/publications. For the U.S. gov-
ernment and associated organizations, NIST FIPS are standards (mandatory) and
NIST SPs are guidelines.
ISO standards and guidelines are driven by the needs of the international com-
munities to develop something they could use to guide them in securing their
systems. Two of these are well known in the IT security community:
One is a standard, ISO/IEC 15408-3:2008, Evaluation Criteria for IT Security,
which provides the standard framework for the evaluation of individual infor-
mation technology products for conformance to the International Common
Criteria for Information Technology Security Evaluation.
e other is a guideline, ISO/IEC 27002:2005, Code of Practice for Information
Security Management, which “establishes guidelines and general principles
for initiating, implementing, maintaining, and improving information secu-
rity management in an organization.” (Source: http://www.iso.org/iso/iso_
catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50297)