Phoenix business and systems process

Process

Recent news:

New Standards Panel Faces Old Problems SECURITIES INDUSTRY NEWS

The securities industry's newest messaging standards body is preparing to address changes in the design rules and the modeling methodology for the International Organization for Standardization (ISO) 20022 messaging standard. ISO working group four (WG 4), formed last November as yet another in a long series of attempts to rationalize the fractious data models and messaging formats of securities trading and settlement, will convene in London on June 5 and 6, with Kevin Wooldridge, director of the business model and harmonization division of Euroclear, as chairman and with an agenda focusing on modeling methodology.

Members of WG 4 have not been willing to comment on the group's role or plans. Its two convenors--Matthew Rawlings, head of architecture for prime services at JP Morgan Chase & Co. in London, and James Whittle, standards manager of the London-based Association for Payment and Clearance Services (APACS) and a member of the 20022 securities evaluation group--did not respond to requests for interviews.

According to an industry source who requested anonymity, "WG 4 is in control of the ISO 20022 design rules and modeling methodology." The 20022 standard is an XML-enabled version of the predominant format for post-trade messages, ISO 15022. Since 20022 was initially proposed three years ago, its modeling methodology has been closely identified with the financial industry's Swift communications cooperative, which has responsibility for post-trade message formats for equities.

The June meeting will be the third WG 4 has held since its inception, and it is becoming clearer that the group has settled on three broad goals. One is to unify the pre-trade and trade message formats established by FIX Protocol Ltd. (FPL) and the post-trade formats of Swift, an effort that stalled a year ago when the five-year-old partnership between FPL and Swift came undone. The group's second aim is to standardize post-trade formats for asset classes such as fixed income, futures, derivatives and foreign exchange contracts.

Third, and most ambitious, is to rationalize the many and diverse communications securities industry standards based on extensible markup language (XML) and its variants. Aside from FIX, the securities industry's XML standards include the International Swaps & Derivatives Association's financial products markup language (FpML); a payments standard for corporate treasurers developed by the London-based Twist organization; the research information exchange markup language (RIXML) for distributing investment research; the market data definition language (MDDL); and extensible business reporting language (XBRL), which is being promoted by the Securities and Exchange Commission and others for submission of financial reports.

I once overheard a CEO say to his officers, "Process.. piece a cake. Get all your documents to my admin by tomorrow. What's next on the agenda?"

Maybe that was the motivation for my "Hey, did someone say cake?" graphic and commentary. The complexity of process architecture is long stated, but the answers to that complexity are only now beginning to truly take form. Using some humor and chocolate frosting, the complexity of normalized process is theme to "The Perils of Mount Must Read™". Sections starting with " Birth Records" and " If It Makes Sense It Exists" review ISO standards and current achievements to manage all forms of classification and evolution of standards development.

Although this process diagram is entirely constructed by PB&SP creative thinking, not an ounce of opinion exists without long and studied review of ISO quality and documentation standards.

February 12, 2006.

ISO 17799 ISO 17799 (in full: AS/NZS ISO/IEC 17799:2000) is a risk management code of practice framework for Information Systems security developed by the International Organization for Standardization. The standard specifies requirements for establishing, implementing and documenting information security management systems. It is a comprehensive set of defined risks and controls comprising of best practices for effective security management for inter departmental and/or inter organisational dealings.
The excerpts below contained within quote marks are taken from the preface of "Information technology - Code of practice for information security management - AS/NZS ISO/IEC 17799:2001", Standards Australia/Standards New Zealand, Wellington, June 2001 (preface - pages ii & iii).

"The objective of the Standard is to give recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.
Information is a vital asset in any organization. The protection and security of information is of prime importance to many aspects of an organization's business. It is therefore important that an organization implements a suitable set of controls and procedures to achieve information security and manages them to retain that level of security once it is achieved.
This standard is intended for use by managers and employees who are responsible for initiating, implementing and maintaining information security within their organization and it may be considered as a basis for developing organizational security standards.
A comprehensive set of controls comprising the best information security practices currently in use is provided in this Standard. This guidance is intended to be as comprehensive as possible. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce and can therefore be applied by large, medium and small organizations.
With increasing electronic networking between organizations there is a clear benefit in having a common reference document for information security management. It enables mutual trust to be established between networked information systems and trading partners and provides a basis for the management of these systems between users and service providers."

This standard is available from Methodware as a model which can be used in:

Enterprise Risk Assessor includes COSO ERM, Basel II and ISO17799 models

Can an auditor be successful without at least some of the tools as defined by the BS7799?

..not likely..

BS ISO/IEC 27001:2005 (BS 7799-2:2005)

Type: Code of Practice -
US Laws enforced by its implementation, for starters, P.L. 107-347

Author(s) BS ISO/IEC 27001:2005 British Standards Institute

Publisher The United Kingdom Standards Policy, Supersedes BS 7799-2:2002, and is often mistaken for ISO/IEC 17799:2005

Primary URL www.bsi-global.com. and our
primary source for work is ISO/IEC JTC 1 U.S. TAG who provide the following:
Frequently Asked Questions for BS ISO/IEC

The standards as produced by ISO/IEC and BSG are heavily supported by US Technical Advisory Group for ISO / IEC Joint Technical Committee. Owned and managed by BSI, the focus of the BS27000 series is Risk Management. BSI defines risk this way: Assessing security risks

Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems." This series demonstrates tremendous efforts to align language and concepts across all major standards with emphasis in: ISO 9000 Quality Management, ISO 14001 Environment, OHSAS 18001 Occupational Health & Safety, and BS 7799 Information Security. Note a shift in language from IT Service Management to a broader ICT Infrastructure Management in all areas that pertain to information systems. The expanded use of ICT Infrastructure in place of ITIL Service Management and Service Delivery concepts makes room for a broader and more consistent mapping of British and other frameworks such as CobiT® 4th edition by ISACA®, and NIST Special Publication 53a, FISCAM Volume Two and the ISG Tool as produced by the team of CISWG. ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and maintenance;
information security incident management;
business continuity management;
compliance.

The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

As further explained by the JTAG: What is BS ISO/IEC 27001?

BS ISO/IEC 27001:2005 (BS 7799-2:2005) is the new international standard that provides a specification for ISMS and the foundation for third-party audit and certification. The standard is complementary to the new standard BS ISO/IEC 17799:2005 (BS 7799-1:2005). The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles governing security of information and network systems. The new standard replaces BS 7799-2:2002. ISO publishes the following abstract and statement regarding use: Abstract ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

!! Source: http://www.insight.co.uk/bs7799/iso17799.htm !!

About ISO 17799 and BS 7799 BS 7799 part I = ISO 17799 BS 7799 part II = summarizes the 127 ISO controls and additionally provides a specification for an Information Security Management System (ISMS). An ISMS is the means by which Senior Management must monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements. BS 7799 - the Code of Practice for establishing an Information Security Management System (ISMS) - is rapidly being adopted by many UK and international businesses who have recognized the need to demonstrate effective protection of their own, and their customers', information. This adoption led, in December 2000, to the International Standards Organization (ISO) publishing BS 7799: Part I as an international standard. It is known as ISO/IEC 17799:2000.

What's not in the ISO STANDARD? The ISO standard currently provides guidance on 127 security 'controls' that are structured under ten major headings. The information provided for each control is intended for guidance only. Some confusion still arises, however, from the fact that there is a second part to BS 7799. This is a separate publication and covers Information Security Management Systems. It is not currently an ISO document. It is important to note that formal certification must always be carried out against BS 7799 Part II. This will continue to be the case until the publication of a fully ratified ISO equivalent of BS 7799 Part II.

The ISO Standard and BS 7799 Part II should be considered as a working 'pair' with distinct purposes as follows:

ISO/IEC 17799:2000 (formerly BS 7799 Part I) is the Code of Practice and can be regarded as a comprehensive catalogue of guidance on what constitutes good security practice.
BS 7799-2:2002 (Part II) summarizes the same 127 ISO controls and additionally provides a specification for an Information Security Management System (ISMS). An ISMS is the means by which Senior Management must monitor and control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.

It is important to note that formal certification must always be carried out against BS 7799 Part II. This will continue to be the case until the publication of a fully ratified ISO equivalent of BS 7799 Part II

Persons with certification will be required to transition to the new standard in 2006: ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

use within organizations to formulate security requirements and objectives;
use within organizations as a way to ensure that security risks are cost effectively managed;
use within organizations to ensure compliance with laws and regulations;
use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
definition of new information security management processes;
identification and clarification of existing information security management processes;
use by the management of organizations to determine the status of information security management activities;
use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
implementation of business-enabling information security;
use by organizations to provide relevant information about information security to customers.

Companies certified/registered to BS 7799-2:2002 will need to make the transition to the new standard; Complete information regarding accreditation and certification is found at http://www.ukas.com/about_accreditation/International/default.asp

A certification scheme exists to certify organizations toward compliance. Although this is a British Standard, more than 9004 organizations in more than 40 countries have been evaluated and certified to BS 7799-2. The guidance is available for purchase from www.bsi-global.com (GB sterling £28.00 for British Standard Institute

Logos belonging to affiliated organizations suggest PB&SP support and are not in any manner ownership or claim of copyright to materials or concepts belonging to these organization or implied creation or collaboration in any product. We are readers and thinkers. We support that everyone read, pay for and use the right resources. We stand behind experience and consensus among clients and peers in suggesting these highlighted products and organizations are the best audit and compliance resources in the world.

	Section Links
	Audit Tools

	IT Service Management & ICT Infrastructure Management

	Conformity ISO standards Quality and Documentation

	Enterprise Risk Assessment

	Risk Management Products

	Facilitated Compliance Management™

	Security Management

	Change Management

	Configuration Management

	Performance CAAT Continuous Audit

	Data Retention / Records Management

	Business Process Management

	Business Continuity

	New in ©2006
	Telcom Complexity
	Process Overview

PB&SP will not intentionally embed links designed to capture advertising data. Links to Magazine have cookies that may optionally be blocked. We make no statements beyond our own practice. Link addresses are visible on your lower left tool bar. If you are prompted to accept a cookie, you are no longer on the pbandsp site. IIA, AICPA, COSO and ISACA provide a combination of public and member only documents. Most substantial information is provided based in membership. If you are trying to access needed content and have no membership... JOIN. Please do not contact us with request for information you cannot access via our link. We do not condone distribution outside of membership.