Abstract
The rapid development of networks has caused senior management to reconsider the vulnerabilities of their organisations to information security incidents. Such reconsideration often reveals that the fundamental vulnerabilities lie not with the emerging technology but rather with the lack of an information security infrastructure within the organisation. Appointing a security officer is a common reaction to this situation but the new appointees often find that there is a lack of immediately apparent support form senior management for additional budgets or organisational change and an agreed authoritative source of information security guidelines. The situation has to some extent been addressed by emerging Information Security Management standards such as the BS 7799. This paper discusses the manner in which a security officer may best employ such standards to enhance the level of information security in an organisation. The paper also discusses the fact that the application of the standards reveals the requirements for an organisational security model that may be employed to assist in standards conformance and auditing.
Chapter PDF
Similar content being viewed by others
References
FIPS 65 (1979) Guidelines for Automatic Data Processing Risk Analysis, Springfield: National Technical Information Service.
Moses, R.H. and Glover, I. (1988) “The CCTA Risk Analysis and Management Methodology (CRAMM)–Risk Management Model”. Proc. First Int. Computer Security Risk Management Model Builders Workshop, Denver, Colorado, 24–26 May 1988.
Department of Defense (1985) Trusted Computer Systems Evaluation Criteria.
CEC (1991) Commission of the European Communities. Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonized Criteria, Version 1. 2.
British Standards Institute (1995). BS 7799: Code of Practice for Information SecurityManagement.
Standards Australia/Standards New Zealand (1995) Draft Australian/New Zealand Standard: Information Security Management,DR95305.
International Organization of Standardization (1995) ISO/IEC DIS 14980 Information Technology - Code of Practice for Information Security Management.
SMH Associate plc. (1995) CoP-il’TM User Guide.
Anderson, A., Kwok, L.F., and Longley, D. (1994) “Security Modelling for Organisations”. Proc. Second ACM Conf. on Computer and Communications Security, CCS’94, Fairfax, Virginia, USA, 2–4 Nov 1994, ACM Press, 241–250.
Wood, C.C. (1996) Information Security Policy,Baseline Software.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1997 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Kwok, Lf., Longley, D. (1997). Code of Practice: A Standard for Information Security Management. In: Yngström, L., Carlsen, J. (eds) Information Security in Research and Business. IFIP — The International Federation for Information Processing. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35259-6_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-35259-6_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5481-0
Online ISBN: 978-0-387-35259-6
eBook Packages: Springer Book Archive