At last: an agreement on best security practices
- By William Jackson
- Sep 06, 2001
One of the trickiest issues in securing computer systems and their data is that, although plenty of information is available, few practitioners agree about best practices.
An informal group of security experts is trying to create such a body of knowledge.
CASPR, short for commonly accepted security practices and recommendations, will be a series of peer-reviewed papers setting baseline best practices for a number of areas.
The idea is hardly unique, but the authors nevertheless expect CASPR to fill a void.
'We have found nothing comparable that is comprehensive and designed to be used by everyone,' said Bob Johnston, security adviser for Cogentric Inc. of Portsmouth, N.H., who is spearheading the project.
Several groups have agreed on best practices specific to their industries, such as insurance and financial services. And the International Standards Organization late last year published its Code of Practice for Information Security Management.
'We will probably be two levels finer than the ISO model,' Johnston said.
But the information security community remains fractious. It's almost unheard of for all involved to agree about anything. Help in establishing a baseline for best practices should be welcome, however.
CASPR started in April on a moderated Internet forum for security professionals who are certified by the International Information Systems Security Certification Consortium Inc., or ISC2, of Framingham, Mass. More than 200 of the forum's 900 members had signed on for the CASPR project as of early last month.
CASPR workgroups will produce papers about Unix security, certification and accreditation, security metrics, infosec awareness, incident handling, computer crime investigation, forensics, application development, database security, physical security, virtual private networks, firewalls, intrusion detection and public-key infrastructures.
Contributors do not have to be certified information systems security professionals, but each workgroup will have a CISSP editor. The CASPR membership will initially review each paper.
The papers will be freely available under the Gnu free documentation license of the Free Software Foundation Inc. of Boston. ISC2 is not directly involved in producing the papers, but CASPR turned to the certification group to provide copyright protection.
Having ISC2 hold the copyrights 'eliminates having to build a corporation' for CASPR, Johnston said.
The first papers should appear online at www.isc2.org
late this year.
William Jackson is freelance writer and the author of the CyberEye blog.