What is ISO 17799, ISO 27000, PCI Credit Card Standard

For my System Security class we get to learn about ISO 17799, ISO 27000, and the PCI Credit Card Standard. When I first started looking up information about 17799 and 27000 I was a bit overwhelmed and confused by the information that is out there on the web. I felt much like I was trying to memorize a chart like this:
bad
Now I understand a bit better why there are so many software applications and business built around helping other businesses become compliant with these security standards.

So what are the ISO 17799, ISO 27000, and PCI Credit Card Standards?
They are a set of standards set forth by the International Organization for Standardization to ensure that consumer and customer data is kept safe. The ISO.org site says that the 17799 “contains best practices of control objectives and controls in the following areas of information security management:

security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management,  business continuity management, compliance.

In simple terms this means that businesses and organizations need to:

  • Make rules to protect their stuff and your data
  • Actually protect their stuff and workers
  • Keep others from stealing from them
  • Keep things maintained and running well
  • Keep the business running smoothly for customers
  • Make sure they are doing everything on this list correctly

I found it funny that the 17799, according to Wikipedia, is a word-for-word copy of the British Standard 7799-1. The 17799 was updated and renamed to 27002 to keep it up to date and grouped with similar documents numbered in the 27000 domain.

You can download the official ISO 2700 document from the iso website if you’re so inclined to read it or need it.

PCI Credit Card Standard

The PCI Credit Card Standard is a document outlining a standard to ensure that businesses that are taking credit card payments meet a minimum standard to ensure the safety of their customers and the associated data. The current standard covers 6 areas:

  • Have secure network
  • Keep data safe
  • Keep system up to date and secure
  • Good passwords & other access restriction measures
  • Watch network for failure and intrusion
  • Have a plan

What’s interesting to me about the PCI credit card standard is that it isn’t issued by a organization that has multi-national participation. It is run and enforced by the major credit card companies. If vendors aren’t compliant then the credit card holder is vulnerable and that isn’t good for the main credit card company because their customer will get hurt. In order for the credit card company to keep their good name and customers, they have set up a standard in hopes that their customers and money will be more protected. If a vendor isn’t compliant then the credit card company often fines or quits doing business with the vendor completely.

I think security standards are good in the fact that they push those who don’t care or who aren’t thinking about security, to do something about it. The downside to having security standards is that it creates an easy resting place for companies. It makes it easier for them to say, “I’m compliant so I don’t have to do any more than this”.  I think they can also misguide sometimes if the group making the standard focuses on a risk is in one place but an even greater risk ends up getting less attention.

Disclaimer:

This post is for a school assignment and I do not claim to be an expert by any means. I was assigned a topic I knew nothing about and tried to make sense of it and share what I learned in simple terms.

Resources:

http://www.noweco.com/risk/riske13.htm
http://www.pbandsp.com/tools/iso.html
http://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
http://www.pcicomplianceguide.org/
http://www.computerworld.com/s/article/102913/Credit_card_data_security_standard_goes_into_effect
http://en.wikipedia.org/wiki/ISO/IEC_27000