Hi all

I did try and send this immediately, but it didn't appear...spooky.

Steve

-----Original Message-----
From: Power Steve
Sent: Tuesday, August 07, 2001 4:26 PM
To: 'cisspstudy@securityfocus.com'
Subject: Back by popular demand : Summary of US standards question

Names have been omitted to protect the innocent....

US companies do acknowledge international standards such as ISO 9000, ISO
17799.

US companies can be regulated by state or federal rules, e.g. HIPAA for
healthcare, or SEC, OCC and FDIC for banks. Useful sites include
www.audit.net <http://www.audit.net> , www.infosyssec.com
<http://www.infosyssec.com> , and www.fistgov.gov <http://www.fistgov.gov>

BS7799 is widely recognized as a best practice. The closest you may find to
it in the US however, is SAS70.

Best Practices is fairly standard, but is an evolving practice due to
Legislature.

The item you must be familiar with is the Gramm Leach Bliley Act and how it
effects the Bank's US
practices.

Many banks don't use ISO standards but use SAS
http://www.sas70.com/index2.htm <http://www.sas70.com/index2.htm>

more US companies are using the BS7799 now ISO 17799 as a guideline. There
really isn't an equivalent ANSI standard that covers all the areas that
x7799 does.

Companies in the US use ISO9000/2000 standards. Not many use the ISO 17799.
The US Department of Commerce, National Institute of Standards and
Technology (NIST) has published a Self Assessment Guide for Information
Technology which can be found at http://csrc.nist.gov/
<http://csrc.nist.gov/> It was released in March 01.

Many thanks to all that replied.

Anyone else wanna try and stimulate discussion ? ;)

Steve

Legal Disclaimer:-

Please be aware that messages sent over
the Internet may not be secure and should
not be seen as forming a legally binding
contract unless otherwise stated.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]