ISO 17799:Standard for Security

Organizations can use ISO 17799 as a model for creating information security policies and procedures,assigning roles and responsibilities, documenting operational procedures, preparing for incident andbusiness continuity management, and complying with legal requirements and audit controls.

Ellie Myler, CRM, and George Broadbent

Pretexting. Zero Day Attacks. SQL Injections. Bots and Botnets. InsiderInfractions. Click Fraud. Database Hacking. Identity Theft. Lost Laptopsand Handhelds. According to Ted Humphreys, in a recent InternationalOrganization for Standardization (ISO) press release, "It is estimated thatintentional attacks on information systems are costing businesses world-

wide around $15 billion each year and the cost is rising."

Today's information professionals need to address an ever-increasing number ofinternal and external threats to their systems' stability and security, while maintainingaccess to critical information systems. As the e-commerce space continues to grow andnew tools allow organizations to conduct more business online, they must have controlsin place to curtail cyber crimes' malicious mayhem, tampering, and wrongdoing.

Organizations need to address information security from legal, operational, andcompliance perspectives. The risk of improper use and inadequate documentationabounds, and the penalties are greater than ever. By combining best practices outlinedin the international standard ISO/lEC 17799 Information Technology - SecurityTechniques - Code of Practice for Information Security Management (ISO 17799) withelectronic records management processes and principles, organizations can addresstheir legal and compliance objectives. This article explores the opportunity to bridge the

At the CoreThis article

Describes the components of ISO17799 and provides a step-by-stepmethod tor using it as the frame-work for an information securityprogram

Tells how organizations can useISO 17799 in coniunction withtheir electronic records manage-ment processes and principles toaddress legal and complianceobjectives

Discusses data loss reporting issues

November/D ecemOer 2006 The In format ion Management Journol 4 3

gaps and bring together informationsecurity, intellectual property rights,protection and classification of organi-zational records, and audit controls,

ISO 17799 Components,Applications, Implications

ISO 17799 provides a framework toestablish risk assessment methods; poli-cies, controls, and countermeasures;and program documentation. The stan-dard is an excellent model for organiza-tions that need to:

• Create information security poli-cies and procedures

• Assign roles and responsibilities

• Provide consistent asset manage-ment

• Establish human and physical secu-rity mechanisms

• Document communications andoperational procedures

• Determine access control and asso-ciated systems

• Prepare for incident and businesscontinuity management

• Comply with legal requirementsand audit controls

Information security can bedefined as a program that allows anorganization to protect a continuouslyinterconnected environment fromemerging weaknesses, vulnerabilities,attacks, threats, and incidents. The pro-gram must address tangibles and intan-gibles. Information assets are capturedin multiple and diverse formats, andpolicies, processes, and proceduresmust be created accordingly

Organizations can use this standardnot only to set up an information secu-rity program but also to establish dis-tinct guidelines for certification, com-pliance, and audit purposes. The stan-dard provides various terms and defini-tions that can be adopted as well as therationale, the importance, and the rea-sons for establishing programs to pro-tect an organization's information

Figure 1: Steps for Establishing and Implementing and Information Security Program

assets and resources. Figure 1 depictsthe suggested steps and tasks associatedwith establishing and implementing aninformation security program.

This ISO framework is methodical-ly organized into 11 security controlclauses. Each clause contains 39 mainsecurity categories, each with a controlobjective and one or more controls toachieve that objective. The controldescriptions have the definitions,implementation guidance, and otherinformation to enable an organizationto set up its program objectives accord-ing to the standard methodology.

Step 1: Coriduct Risk AssessmentsThis component of the standard

applies to activities that should be complet-ed before security policies and proceduresare formulated.

Risk is defined as anything that caus-es exposure to possible loss or injury.Risk analysis is defmed as a process ofidentifying the risks to an organizationand often involves an evaluation of theprobabilities of a particular event or anassessment of potential hazards. Losspotentials should be understood todetermine an organization's \'ulnerabilityto such loss potentials.

Risk categories are both internal

and external and can include:

• Natural: Significant weather eventssuch as hurricanes, flooding, andblizzards

• Human: Fire, chemical spills, van-dalism, power outages, andvirus/hackers

• Political: Terrorist attacks, bombthreats, strikes, and riots

Conduct risk assessments to under-stand, analyze, evaluate, and determinewhat risks organizations fee! are likelyto occur in their environment. Riskassessment activities involve informa-tion technology (IT) and informationprocessing facilities, facilities manage-ment and building security, humanresources (HR), records management(RM) and vital records protection, andcompliance and risk managementgroups. These groups must collectivelydetermine what the risks are, the levelof acceptance or non-acceptance of thatrisk, and the controls selected to coun-teract or minimize these risks.

Risk analysis is conducted to isolatespecific and typical events that wouidlikely affect an organization; consider-ing its geography and the nature of itsbusiness activities will help to identifyrisks. Loss potential from any of these

4 4 The In formal ion Management Journol • November /December 2006

events can result in prohibited access,disrupted power supplies, fires from gasor electricity interruptions, water dam-age, mildew or mold to paper collec-tions, smoke damage, chemi-cal damage, and total loss(with the destruction ofthe entire huilding).

Regularly monitor emerg-ing threats and evaluate theirimpacts, as this is a constant, movingtarget. For example, according to anIMlogic article, "IM [instant messaging]worms are the most prevalent form ofIM malware, representing 90 percent ofall unique attacks in 2005. These attacksfrequently utihzed social engineeringtechniques to lure end users into click-ing on suspicious links embedded insideIM messages, enabling the activation ofmalicious code that compromised thesecurity of host operating systems orapplications."

Although threats are increasinglysophisticated in the virtual sphere, thesimple occurrence of employees stealingcompany information on paper is stillvery real and prevalent in today's workspace.

Step 2: Establish a Security PolicyThese components of the standard

provide the content that should be includ-ed as weU as implementation guidance toset the foundation and authorization ofthe program.

To set its precedence, an informa-tion security policy should be devel-oped, authorized by management, pub-lished, and communicated. It shouldapply to all information assets and mustdemonstrate management's commit-ment to the program. Explain implica-tions on work processes and associatedresponsibilities and outline them inemployee job descriptions.

The security policy should beadministered, documented, and period-ically evaluated and updated to reflectorganizational goals and lines of busi-ness. This is captured under clause 6.0for organizing information security. Itreflects administrative and managementactivities to implement the security pol-

Employees arepart of the

overallinfornnation

securitylandscape andoften they arethe closest and

best able toprevent certainincidents from

occurring.

icy. All activities must identify authori-ties, responsibilities, agreements, andexternal security requirements. This hasan impact on information processingfacilities, external parties, access issues,and problem resolution measures. Keepa record of all policy administrationactivities to create historical relevancefor the information security program.

Step 3: Compile an Asset InventoryThis component of the standard

addresses asset management, controls,and the protection thereof. It applies to altassets in tangible and intangible form.

Identify the organization's intellec-tual property (IP), toots to create andmanage IP, and physical assets with a

detailed inventory so the organizationknows what type of resources it has,where they are located, and who hasresponsibility for them. Identifying how

assets are to be used, classified,labeled, and handled is neces-

sary to establish an assetmanagement inventory.This inventory should also

distinguish the types, formats, andownership control issues. Implement

associated rules for the use of assetsincluding e-mail, Internet usage, andmobile devices. Classifying assets andestablishing procedures for labeling andhandling according to the classificationscheme are also important. Documentsin electronic form will lend themselvesto being identified through metadataand document properties completion.However, these processes must all becompleted by resources. Althoughautomation of these processes is a possi-bility, an organization still faces exten-sive costs and resource coordination toaddress this piece.

Step 4: Define AccountabilityThis component oj the standard

addresses the human aspect of security; itapplies to the level of accountability thatemployees, contractors, and third-partyusers have to use to protect an organiza-tion's information assets.

An information security programwill not be implemented unless rolesand responsibilities arc clearly articulat-ed and understood by those havingownership in the program. Ideally, theseroles and responsibilities should be out-lined in job descriptions and document-ed in terms and conditions of employ-ment.

Employees are part of the overallinformation security landscape Lmdoften they are the closest and best able toprevent certain incidents from occur-ring. HR is typically in charge of theseissues, but they must collaborate with ITand RM to ensure that all informationassets are addressed accordingly.

Define roles and responsibilitiesduring pre-employnient and screeningprocesses, and perform background

4 6 The In fo rma l ion Monagement Journol • November/DecBmber 2006

checks to support the hiring process. Ifthe job mandates working with highlysensitive information, an organizationmust be on guard to hire the most qual-ified person to perform thesetasks. These employeesmust possess a great dealof integrity, pay attentionto detail, and take theirresponsibilities seriously.

Information security awareness,education, and training must be a rou-tine activity to keep employeesinformed, to communicate expecta-tions, and to provide updates on theirresponsibilities. Standardize a discipli-nary process for security breaches.

When employees leave or changejobs, it is essential that HR, in collabora-tion with other stakeholders, followsthrough with a return of assets processand removal of access rights, which canbe captured in HR exit processes andprocedures. This often is not a coordi-nated process, which allows employeesto walk off with information or leavebehind on servers and in physical workspaces masses of orphaned and uniden-tified information. Redesign the HR exitinterview to ensure that informationreturn or transfer is a coordinatedprocess.

Step 5: Address Physical SecurityThis component of the standard out-

lines all the requirements for physicalsecurity perimeters and authorized entrycontrols; measures for protecting againstexternal and environmental threats;equipment security, utilities, and cablingconsiderations; and secure disposal orremoval of storage equipment media.

An organizations building andpremises, equipment, and information-processing facilities must be fail proof toprevent unauthorized intrusions andaccess, and possible theft issues. Thisapplies mostly to facilities managementand IT, although risk managementshould also participate to provide envi-ronmental risk protection measures.

Include guidelines for physicalsecurity perimeters, entry controls,environmental threats, and access pat-

An organization'sbuilding and

premises,equipment, and

information-processing

facilities must befail proof to

prevent unautho-rized intrusionsand access, andpossible theft

issues.

terns in this section. Also address sup-porting utilities, power, and telecom-munication networks. Finally, securethe disposal and removal of equipmentthat holds information so that informa-tion is truly deleted or "wiped" cleanfrom the slate.

Step 6: Document OperatingProcedures

Procedures for system activities,change management controls, and segre-gation of duties are included in this com-ponent.

Any organizational program will bemore established when program admin-istration, policies, procedures, and relat-ed processes are formally documented.

This component sets out to define oper-ating procedures, instructions for thedetailed execution thereof, and themanagement of audit trail and system

log information. It applies to allfacets of an information secu-

rity program.

Formally document-ing program activities will

allow an organization to keeptrack of the development, implemen-

tation, and associated documentationfor the program. Keep in mind thatdocumentation does not magicallyappear through word processing pro-grams. It takes resources, good writingskills, and an ability to change docu-mentation when necessary.

Address the separation of develop-ment, test, and operational facilities toreduce the risk of unauthorizedactions. Monitor and review third-party service delivery requirements toensure that actions are carried out asmandated. Plan for, monitor, andupdate system resources, capacity man-agement, and acceptance criteria, asnecessary.

Constantly monitor and prepare toprotect against malicious and mobilecode to guard the integrity of systemsoftware and information. This espe-cially pertains to intelligent cyber-crime activities such as structuredquery language injections and applica-tion to mobile devices, which areincreasingly becoming more sophisti-cated. This should also focus on incom-ing e-mails and downloadable attach-ments, as well as a review of webpages.

Backup and restoration proceduresmust provide for the replication ofinformation and methods for dispersaland testing, meeting business continu-ity requirements. This should alsoaddress retention periods for archivalinformation or those with long-termretention requirements. Address mediapreservation issues to ensure thelongevity of media that have long-termretention requirements.

Address network infrastructurethrough network controls and manage-ment. This includes:

4 8 Tht InFormaMon Monagament Journol • November /December 2006

' Remote equipment and connec-tions

• Public and wireless networks

• Authentication and encryptioncontrols

• Firewalls and intrusion detectionsystems

• Media handling and transit methods

• Information classification, reten-tion, and distribution policies andprocedures

Although mobile devices havehelped organizations stay better con-nected, employees must use more dis-cretion when using them. Alert employ-ees to proper etiquette for relayinginformation so they will not be over-heard in elevators, airports, or on otherpublic transportation.

Address electronic data inter-change, e-commerce, online transac-tions, electronic signatures, electronicpublishing systems, and electronic com-munication methods such as e-mail andIM. Their secure use and associatedprocedures must demonstrate accuracy,integrity, and reliability. For organiza-tions using e-commerce, this is not anoption, as current regulations are push-ing this into the forefront of IT agendas.Organizations should also monitortheir systems and record security eventsthrough audit logs. Also address recordsretention policies for archival or evi-dence requirements.

Step 7: Determine Access Controls

This compomni of the standardincludes guidelines for establishing poli-cies and rules for information and systemaccess.

Practice standard methods for allusers and system administrators to con-trol access to and distribution of infor-mation. Policies should apply to users,equipment, and network services.Newer technologies, such as those thathave passwords connected to finger-print digital touch pads, come at a cost,but they should be evaluated as a pass-word management tool.

Figure 2: California SB 1386 Excerpts, Source and Language Summary

Source Language

California 2002 Legislative Service,Chapter 915, S.B. 1386, Confidentialor Privileged Information -Computers - Data

California 2002 Legislative Service,Chapter 1054, A.B. No. 700,Telecommunications - PersonalIdentification Information -Disclosure, CA Civil Code 1798.82(g)

California 2002 Legislative Service,Chapter 1054, A.B. No. 700,Telecommunications - PersonalIdentification Information -Disclosure, CA Civil Code 1798.84(a)

California 2002 Legislative Service,Chapter 1054, A.B. No. 700,Telecommunications - PersonalIdentification Information -Disclosure, CA Civil Code 1798.84(b)

Access control measures shouldinclude:

• Setting up user registration andderegistration procedures

• Allocating privileges and passwords

• Implementing a "clear desk andclear screen policy"

• Managing;

- Unattended equipment

- Virtual private network solu-tions

- Wireless networks and authen-tications

- Network service issues such asrouting and connections

- Telecommuting virtual spacesand intellectual property rights

- Cryptographic keys and proce-dures

Any person or business that ownsor licenses computerized data thatincludes personal information, todisclose in specified ways, anybreach of the security of data.

"Notice" may be provided by one ofthe following methods:

(1) Written Notice(2) Electronic Notice

Substitute notice consisting ofe-mail notice, conspicuous postingon website page, and notification tomajor statewide media.

Any customer injured by a violationof this title may institute a civilaction to recover damages.

Any business that violates, proposesto violate, or have violated this titlemay be enjoined.

- Software development, testing,and production environments

- Program source code andlibraries

- Change control procedures anddocumentation

- Patches, updates, and servicepacks

Any information system that anorganization procures or develops mustalso include security requirements forvalid data input, internal processingcontrols, and encryption protectionmethods. Document the integrity,authenticity, and completeness of trans-actions through checks and balances.Retain and archive system documenta-tion for configurations, implementa-tions, audits, and older versions. Thisis further detailed in clause 12 of thestandard.

N o v e m b e r / D e c e m b e r 2 0 0 6 • T h e I n f o r m a l i o n M a n o g e m e r t J o u r n a l 4 9

Step 8: Coordinate BusinessContinuity

This component of the standardincludes reporting requirements, responseand escalation procedures, and businesscontinuity management.

As organizations increasingly comeunder attack and suffer security breach-es, they must have some formalizedmanner of responding to these events.

Business continuity managementaddresses unexpected interruptions inbusiness activities or counters thoseevents that impede an organization'scritical business functions. This processshould include:

• Identifying risks and possible occur-rences

• Conducting business impact analy-ses

• Prioritizing critical business func-tions

• Developing countermeasures tomitigate and minimize the impactof occurrences

' Compiling business continuityplans and setting up regular testingmethods for plan evaluation andupdate

A business continuity managementframework also includes emergencT orcrisis management tasks, resumptionplans, recovery and restoration proce-dures, and training programs. Testingthe plan is an absolute must to deter-mine its validity. Tests can include avariety of methods to simulate andrehearse real-life situations. Developcalling trees, hot- and cold-site configu-rations, and third-party contractors,depending on the organization's priori-ty of critical business functions.

Report information security inci-dents or breaches as soon as possible toensure that all relevant information canbe remembered. This requires havingfeedback processes in place as well asestablishing a list of contacts that areavailable around the clock to managethis process. Procedures should be con-sistent and effective to ensure orderly

Figure 3: ISO Clauses

Clause Description

10.5 Backup and document restoration procedures

10.8.1 Retention and disposal guidelines for information exchange

policies and procedures

10.10.3 Audit log information evidence requirements

11.3.3 User responsibilities for a "Clear Desk and Clear Screen Policy"

12.3.1 Transborder fiow and encryption information issues

12.4.1 Maintenance of system documentation and change controlprocedures

15.1.2 Maintenance of IP registers, licenses, copyrights, trademarks,and documentation

15.1.3 Records safeguarding and handling guidelines, classification,and retention schedules and inventories of key information

responses to not only manage theimmediate process but also to collectevidence for legal proceedings.

Step 9: Demonstrate ComplianceThis component of the standard pro-

vides standards for intellectual propertyrights, RM requirements, and compliancemeasures. These apply to everything froman orgamzation's information processingsystems to the granular data and transac-tional records contained within thosesystems.

There is an increased scrutiny onorganizations to demonstrate compli-ance with applicable laws, regulations,and legislative requirements for allaspects of their business transactions.Adherence to rules and regulations arean integral part of the information secu-rity program and will contribute todemonstrating corporate accountability.

Address identification, categoriza-tion, retention, and stability of mediafor long-term retention requirementsaccording to business and regulatoryrequirements. Document retentionperiods and associated storage media as

part of managing the organization'srecords. Address privacy and personaldata requirements, which can vary fromone country to the next. Address trans-border data flow and movement, andassociated encryption methods as relat-ed to import and export issues depend-ing on federal laws and regulations.

Follow up on and evaluate compli-ance with established policies and pro-cedures to determine implementationeffectiveness and possible shortcom-ings. Clearly delineate audit controlsand tools to determine areas forimprovement. Again, it is critical to taketime to document ali information relat-ed to the development and establish-ment of compliance and audit, includ-ing decisions made, resources involved,and other source documentation cited.

Data Breach Reporting IssuesNew information security require-

ments are emerging as a result of organ-izations' negligence to protect sensitivedata and impose adequate controls onemployees using mobile technology tohouse such data. Information security

5 0 The in format ion Monagemenl Journol • November /December 2006

issues are constantiy in the media, aswith the recent case when the U.S.Department of Veterans Affairs (VA)lost control of the personal informationof 28 million veterans when alaptop containing the infor-mation was stolen from anemployee's home. The VAwas criticized for its delay indisclosing the loss and notifj'ingthose affected,

California Senate Bill (SB) 1386 issetting the precedent for reporting anddisclosing data security breaches anddeclarations for privacy and financialsecurity. (See Figure 2 "California SB1386 Excerpts, Source and LanguageSummary.") Other states are nowadopting laws allowing consumers to"freeze" their credit files, even if theyhave not been a victim of identity theft.If passed, pending bills in the U.S.Congress, including S.I408: IdentityTheft Protec-tion Act and H.R. 4127:The Data Accountability and Trust Act,would also force organizations to bemore accountable for the vast amountof personal information that they mayhave.

Organizations should take heed ofthese legislative efforts and proactivelyplan for them hy updating their infor-mation security practices. Any organi-zation that uses e-commerce in its busi-ness practices must align its systems anddatabases for the protection of informa-tion content. Organizations that aresubject to these laws should structuretheir reporting measures according tothe following components of the ISO17799 standard:

• Clause 10.9 establishes electroniccommerce countermeasures andcryptographic controls to protectsensitive customer informationand all associated electronicrecords databases.

• Clause 13.1 provides a methodolo-gy for reporting incidents support-ed by timely procedures withappropriate behavior mechanismsand disciplinary processes.

Establish, fund,and monitor

training, support,and complianceto ensure that

employeesreceive

appropriatetraining beforeturning them

loose withthe tools.

Information Security Objectivesand Records ManagementComponents

Although information security isnow in the limelight and is being broughtto the attention of the executive-levelaudience, RM is still the basic foundationthat branches out into all the various newcompliance areas. Records managersneed to work with IT to ensure thatretention and vital records requirementsare addressed and are part of the manyinventories that the ISO standard sug-gests. They must also update their pro-grams to be in line with an informationsecurity program's objectives as outlinedin the controls and implementationguidance of the ISO 17799 standard.

Maintenance, retention, and protec-

tion requirements of data, information,and IP are addressed in the ISO clauses inFigure 3.

Vital records are those records that!are needed to resume and contin-

ue business operations after adisaster and are necessaryto recreate an organiza-

tion's legal and financial posi-'tion in preserving the rights of an

organization's employees, customers,and stockholders. If vital records protec-tion methods exist before an information,security program is established, theyshould be integrated or referred to as partof the larger information securityscheme. IP and the management andprotection thereof have long beenaddressed by organizations through avital recorcls program. When electronicrecords were not pi-evalent, vital recordsprotection methods included the samepremises, such as;

• Appraisal and identification of thoserecords that are deemed vital

• Duplication and dispersal processes

These methods can apply to anyelectronic environment but the inven-tories of such records must include notonly the paper versions but also theirelectronic counterparts captured inother media or systems within theorganization.

The objective to protect electronicvital records must focus on:

• Newly created records

• Work in progress j

• Other information that is not storedon servers and is typiailly found onusers' desktops

Although it can be argued that manyelectronic records are captured in enter-prise resource planning systems, routinebackups of this data may be re-circulatedso that long-term retention and protec-tion requirements are not addressed

Initially, allowing employees totransport laptops and other devices withlarge amoimts of data away from the cor-porate environment was seen as a way to

N o v e m b e r / D e c e m b e r 2 0 0 6 • The I t i f o r m a t i o n M a n a g e m e n t J o u r n a l 5 1

increase productivity. That is still thecase, but controls in the form of policiesas to what can and cannot be taken mustbe established and consistently enforced.As technology offers more ways to com-pact large amounts of data on very smalldevices, it is crucial to monitor and cor-rect employees to prevent their actionsfi-om compromising the organization'sresponsibilities for keeping informationsafe. Establish, fund, and monitor train-ing, support, and compliance to ensurethat employees receive appropriate train-ing before turning them loose with thetools.

Compliance also applies to informa-tion systems and their audit considera-tions. Administrators running an orga-nization's information systems must bejust as closely scrutinized as the employ-ees within the organization and in virtu-al spaces.

Stay Ahead of the Curve to StaySecure

While information security is thenewest flavor of the month, chances arethat many organizations have no pro-gram in place and, therefore, no controlover how their employees manage infor-mation.

Organizations cannot continue topractice their business in an irresponsi-ble manner. Using the ISO standard tostructure their programs is the founda-tion, but they must also stay ahead ofthe curve, outguessing and outsmartingpotential incidents and occurrences.Websites for information security arepervasive and provide both writtenmaterials and podcasts to help keepinformation professionals informed.Records managers and IT professionalscan also help each other achieve a bestpractices program for informationsecurity.

However, any program that anorganization initiates will need manage-ment support and resources to accom-plish it, Collaboration by all parties,including senior management, is essen-tial to achieve compliance in the space ofinformation security. PI

EUie Myler is a Certified Records Manager and Certified Business ContinuityProfessional and a 17-year veteran of the records management industry A SeniorRecords Management Analyst with Entiutn Technology Partners LlC, Myler has previ-ously served as a consultant to Fortune 500 companies in a wide spectrum of industries.She designs and customizes corporate governance programs for records management andbusiness continuity program initiatives and writes and lectures frequently on informa-tion management and technology topics. She may be reached at emyler@entium.com.

George Broadbent has more than 17 years of diversified system architecture, networkdesign and implementation, and application development experience, including networkmanagement of Novell NetWare and Microsoft Windows 2000/2003 networks. He hasdesigned and built local and wide area networks (LANs/WANs) that include the use ofhigh-availability systems, real-time data replication and hierarchical storage solutionsfor large multi-site organizations. He has performed the architecture, design, implemen-tation, deployment, and/or support of enterprise electronic mail systems with integratedelectronic archiving solutions for Microsoft Exchange-based systems. He can be reached atgbroadbent@entium.com.

References

ARMA Intemational. "VA IG Slams Top Officials in VA Data Theft Incident." WashingtonPolicy Brief July 2006. Available at www.arma.or§/news/policybrief/index.cftn?BriefID-}335(accessed 26 September 2006).

Bartholomew, Doug. "Responding to Risk: Invisible Enemies." Industry Week, 1 March2006. Available at www.industryweek.com/ReadArticle.aspx?ArticlelD=11440 (accessed 26September 2006).

Creenemeier, Larry. "The Next Data Breach Could Mean Your IT |ob." Information Week,17 luly 2006. Available at wvw.infonnatiormeek.com/setnrity/showAnick.jhtml?artictelD=190400266. (accessed 26 September 2006).

IMlogic. IMlogic Threat Center - 2005 Real-Time Communication Security: The Year inReview. Accessed 12 July, 2006 at www.imlogic.com/pdf/2005ThreatCenter_report.pdg. Nolonger avaOable.

International Organization for Standardization. ISO/IEC 17799: 2005, InformationTechnology - Security Techniques - Code of Practice for Information Security Management.Geneva, Switzerland; International Organiziition for Standardization, 2005.

. ISO/IEC 18043:2006, Information Technology - Security Techniques -Sekction, Deployment and Operations of Intrusion Detection System. Geneva, Switzerland:International Organization for Standardization, 2006.

. "New ISO/IEC Standard to Help Detect IT Intruders." AvaUable atwww.iso.org/iso/en/commcentre/pressreleases/2006/ReflOI7.html [accessed 26 September

2006).

U.S. House. Data Accountability and Trust Act, 109th Congress, H.R. 4127. Available atwvw.govtrackus/congress/billxpd?bill=hl09-4127 (accessed 26 September 2006).

U.S. Senate. Identity Theft Protection Act, 109th Congress, S.1408. Available at www.gov-tracku$/congress/billxpd?bilhsl09-1408 (accessed 26 September 2006).

5 2 The InformaHon Management Journol • November/December 2006