Financial institutions are subject to a slew of laws and regulations aimed at information security. There’s Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There’s also California’s and other states’ data breach disclosure laws, and the Sarbanes-Oxley Act. They have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that. The two standards, ISO 17799 and ISO 27001, together provide a set of best practices and a certification standard for information security.