Conventionally, information security management may have been considered to be a technology problem and may have been handled, if at all, by a systems administrator. However, information security may be viewed as more of a business and regulatory issue than a technology issue. As information security continues to increase in importance, organizations are challenged and/or required to prove that they are managing information security to a level that will satisfy customers, management, government and corporate regulators, auditors, and so on. This is especially true in areas including finance (e.g., Gramm-Leach-Blilely (GLB)), communications, travel (e.g., Patriot Act), health care (e.g., Health Insurance Portability Accountability Act (HIPAA)), and other fields.
Standards bodies and government agencies continue to provide guidelines and regulations concerning information security. For example, ISO (International Standards Organization) 17799 defines, at a high level, an information security program and architecture. Federal Circular A-123 provides guidance to managers of federal agencies on establishing accountability and internal controls. This guidance includes standards and requirements for conducting assessments of internal controls related to financial reporting. The Federal Information Security Management Act (FISMA) defines an architecture for reporting information security incidents within the federal government. This act requires departments and agencies to implement security architectures and policies to address vulnerabilities to their enterprise systems. Sarbanes-Oxley (SOX) describes standards and requirements for conducting assessments over financial reporting for publicly held companies.
Government is not the only body to promulgate standards and provide guidelines. Consider the VISA Cardholder Information Security Program (CISP). CISP is designed to protect cardholder data, regardless of where it resides, and to ensure that members, merchants, service providers, and so on, maintain acceptable standards of information security, both to increase consumer confidence and to reduce risk of loss and actual loss. Companies like VISA may wish to audit their members to determine the degree to which the CISP is implemented. Conventionally this audit may have been a manual, in-person review that requires the compilation of data from numerous locations.
Standards and guidelines provide benchmarks against which designed systems and/or deployed systems can be compared. Typically this comparing has been done manually, on an ad hoc basis, usually co-opting auditors and information technology personnel (e.g., system administrators). With the presence of diverse human actors, standards may be inconsistently interpreted and/or applied, and therefore the validity and value of the results may be questioned. Comparisons between standards and implemented systems have typically included examining factors including whether physical best practices and/or technological best practices are defined, in place, used, and appropriate.