High Anxiety

A new security standard may help companies do a better job of protecting data, but it's no lock.
Elaine Appleton GrantJuly 31, 2006

Paul Wilde is a big believer in data protection. As CFO of Corillian Corp., he almost has to be. The Hillsboro, Oregon-based company delivers financial services and products to banks via the Internet. As such, the company not only stores data about customers, it also has access to information about customers’ customers. Thus, even a hint of a security snafu—let alone data theft—could prove highly corrosive to the company’s brand.

Given the stakes, it’s not surprising that Corillian is an early embracer of the International Organization for Standardization’s (ISO) new directive on data security. Known as ISO 27001, the standard is laid out in a 34-page manual that covers nearly 200 technology practices and procedures. Getting certified in 27001 can be a lengthy process. It took Wilde and Corillian more than a year to examine the company’s existing IT procedures, implement new ones, and document it all. Wilde believes the effort was worth it. “We think this is a very good [security] standard,” he says. “I hope that it becomes standard for companies dealing with personal financial information.”

That remains to be seen. Backers of 27001 say corporate compliance efforts such as Sarbanes-Oxley and HIPPA are seriously undercut by subpar IT controls—controls the new standard addresses. Barry Kouns, the information-security practice lead consultant at Churchill & Harriman, predicts the ISO’s latest IT benchmark will have an impact far beyond the corporate tech department. “The information-security management system in 27001 forces an organization to manage business risk,” insists Kouns, “not just information-security risk.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Others are not so sanguine. Critics say ISO 27001 is limited in scope and is expensive to implement (certification costs can top six figures). Andrew Jaquith, a senior analyst at The Yankee Group, believes the latest security directive could create a false sense of, well, security. “People tend to care about whether you have complied with the standard,” he explains, “rather than whether it is actually good security.”

Rusty Spoon

Most tech observers do agree on one thing: the new IT benchmark is an improvement over its predecessor. While experts say that standard (ISO 17799) rightly focused on the importance of IT best practices, it didn’t actually offer any. For example, 17799 recommended placing controls on network access, but gave no specifics. As Forrester Research analyst Khalid Kark notes, it was impossible to deduce if users should set up firewalls, put controls on routers, or limit access for employees.
Such ambiguity often led to protracted, fun-filled certification examinations. Asserts Jaquith, a former auditor: “I’d rather claw my eyes out with a rusty spoon than do one of those audits again.”

The ISO, apparently aware of the eye-clawing thing, introduced 27001 last year. The updated standard provides measurable criteria for setting up and monitoring controls. The rules-based approach has made it easier for businesses to follow along. At Xerox Corp., line managers at three of the company’s divisions recently commenced the 27001 certification process, as did Xerox’s internal-standards group. Tom Hurysz, vice president of platform and consulting services at Xerox, says he plans on following 27001 in conjunction with other controls frameworks, including SAS 70 (the American Institute of Certified Public Accountants’s standard governing information security for service providers). “I’d say 80 percent of what we do is good for both SAS 70 and 27001,” notes Hurysz. “It’s a way to satisfy the marketplace where some people feel that the SAS audit is better than an ISO audit and vice versa.”

Right now, it’s tough to find many companies that can claim to satisfy the ISO directive. Currently, only 39 U.S. organizations are certified for 27001 (or the British equivalent, BS 7799-2). That’s compared with 1,634 in Japan. But, the Federal Reserve Bank has attained 27001 compliance, a move that could generate interest in the standard, particularly among financial-services companies that outsource a lot of data-related work. Says Kouns: “More and more RFPs are coming out asking, ‘Where do you stand in complying with this international standard?’”

The guess is that 27001 will catch on, albeit slowly. Still, it’s not at all clear if certification will substantially boost data protection—or merely soothe customer worries about data protection. “Plenty of businesses spend an inordinate amount of time rewriting their security policies and practices to comply with a standard,” cautions Jaquith. “These companies can still be compromised faster than you can say ‘hacker.’”

Elaine Appleton Grant writes frequently about business technology.

Standard Deviation
When it comes to IT security certification, the U.S. badly lags other countries.
Country Certified Organizations
Japan 1,634
UK 249
India 194
Taiwan 92
Germany 57
Italy 42
U.S. 39
*Organizations (companies, business units, government agencies, or other entities) that are certified under either ISO 27001 of BS 7799-2 as of 6/5/06.
Source: ISMS International