I just heard an intelligent, IA-focused gentleman discuss his team’s
new information policy framework. It’s neat stuff: a meta-policy for
writing information assurance policies, focused on risk assessments,
continuous measurements feeding back into policy generation, and a
format-agnostic approach. That is, it encourages policies to be
written for certain sorts of information content, not for specific
technologies or storage media.
For example, policies at many organizations are written for Laptop
Drives, Shared Storage, Web Servers, USB Media, Paper Storage, Voice
Mail, etc. These folks advocate writing policy around the content
instead, so regulation of HR/Personnel information is written in one
place, covering it whether it’s stored in voice mail, a filing
cabinet, or an iPod.
That seems like a neat idea. There are problems, of course, but in a
lot of ways it describes why I like functional programming better than
object-oriented programming: it’s easier to extend on one axis,
harder on another. So I asked the obvious question: how does this
compare to ISO 17799? Ideally, I’d have been pointed to a document
comparing this to a number of other frameworks, including ISO 17799.
They have no such document. Instead, I got told that ISO 17799 is
boring and uninteresting, since it focuses too much on electronic
issues. These folks claimed that, for example, it required regulation
of electronic documents separately from paper documents. Now, I
haven’t looked at this since it was British Standard 7799—and my
notes from those days got left behind under NDA. But I sure don’t
remember it being structured that way. Anyone who works with
CISSP/17799 stuff on a regular basis, am I mis-remembering? Did this
guy’s quick read of ISO 17799 confuse him?
![[FSF Associate Member]](/users/bts/fsf-button-4448.png){kind=small}
Post a Comment