The latest hardware and software security solutions are a necessary evil in this modern age, but many companies commit funds and manpower to the information security without taking a wider view of their management of security policies and procedures.
Information and IT are vital business assets, so effective information security management systems (ISMS) are essential. They help ensure you develop the right controls, systems and products to meet the ever increasing requirements of customers and partners. This is absolutely key, as without undertaking a considered and all-encompassing risk assessment of security issues facing your organisation, then any subsequent actions and procedures you set in place will be compromised.
The two-part BS7799 standard was introduced by the DTI in 1995, with Part 1 now adopted by the International Standards Organisation as ISO IEC 17799 (BS 7799-1:2000). Non-assessed, this Part 1 does not offer a total security solution for a fixed price, but rather offers best practice guidance in information security management.
Part 2 is the assessment standard (albeit not yet adopted by ISO, so still referred to as BS 7799-2:2002), and is a risk-based management systems approach which uses a ‘plan – do – check – act’ format for continual improvement. It refers to Part 1 with its wide range of information security controls to be adopted, as appropriate for your business.
The security measures selected by a good risk assessment will be those focused on the real needs of the business and therefore both cost effective and easy to integrate into the business processes. Subsequent accredited certification to BS 7799-2:2002 is a powerful demonstration of an organisation’s commitment to its ISMS and can offer the following key benefits:
Competitive advantage, through BS 7799-2:2002 certification providing public and independent statement of capability; minimising business risk, putting appropriate controls in place to reduce the risk of security threats and to avoid exploitation of system weaknesses; confidence that your approach to security addresses all aspects, including IT, people, physical and business continuity; legislation compliance, through identification of existing and potential legislation as part of BS 7799-2:2002 compliance;
Increased confidence in your own security measures as judged against best industry practice, through objective assessment by independent management systems experts (qualified in IT and information security); and demonstration of ongoing compliance and ISMS development, through regular ‘surveillance’ visits by your chosen certification body.
BS 7799-2:2002 is now internationally recognised as a useful management tool in the battle against a wide range of information security hazards. Typically, those organisations pursuing BS 7799-2:2002 do so for a number of reasons. Contractually they may be obliged to demonstrate compliance and/or they want to gain marketplace differentiation to further raise their profile and help secure additional business. Some simply recognise the standard as best practice in security management and recognise the positive benefit it can have in risk management and corporate governance.
Government is urging us to take IT security more seriously and more companies demand BS7799/ ISO17799 compliance from their suppliers. No organisation can afford to be complacent in the way it manages, stores and protects its data, yet many businesses appear to be slow in progressing certification to BS7799.
The average cost of a serious security incident hits five figures, but many will reach six! Compare this to the fact that 53 per cent of organisations spend a mere one percent or less of their IT budget on information security. A managed approach to security means that your limited budget is spent wisely; the ideal situation of improved security at lower cost. The risk-based approach and link with corporate governance means more effective justification of security investments.
Whilst IT has a key role, there are significant issues that broaden the security field. A key area is the human factor, e.g., a laptop left in a taxi or passwords on sticky notes stuck to monitors. Most personnel are not under direct supervision of the IT department and yet all too often, security is considered to be solely an IT issue. Security policies need to be set by the business, reflecting the true value of data and the impact of security breaches.
You need to consider integrity of data and availability of information, in addition to confidentiality. Authorised users need ready access to relevant data and they need to be confident that it is accurate and complete. The newest version, BS 7799-2:2002, contains an ISMS model similar to that for ISO 9001. Simple in concept and yet powerful in execution, organisations with a good QMS have the basis for a good ISMS.
The Risk Management basis ensures that it is appropriate and cost effective. The measurement and control aspects ensure that you know just how effective it is. Most organisations have the basis of an ISMS already in place, by way of some security controls and ISMS system elements. Implementation should be a group project approach, involving all business levels and functions, not something allocated to a single person. There is a wealth of information available from a range of sources, such as the DTI.
As for a time scale to achieve certification, the real answer depends on current status analysis, expertise, resources and market needs. These are all things which can be achieved with an independent Gap Analysis, offered by certification bodies (such as LRQA!) or by security consultants. Security consultants typically identify how they can help you develop the ISMS, whereas a cert body will give neutral analysis of readiness for formal assessment and key areas to address.