As a company, we’re beginning to see more and more recognition that information security is critically important to business success as we help end users deal with the consequences of inadequate data protection. Given that there’s clearly no shortage of data security system product vendors out there, not to mention a plethora of solutions, why aren’t companies more secure? Are you even at the stage of knowing you have a problem?
The Data Protection Act 1998 – and principle seven of that Act in particular – requires companies to maintain security of their data. Legal liability certainly focuses the minds of senior executives, but how does an executive judge his or her company’s security?
Are the members of the in-house IT team really as good as they say they are? Or (as is often the case) are they the highest risk due to their use of IT and management systems derived from constant fire-fighting and having to juggle impossible workloads?
Information security management
The standard that organisations are increasingly turning to in a bid to protect their information assets is BS 7799 (and its ISO equivalent ISO 17799). First issued back in 1995, this standard effectively covers the broader organisational issues related to establishing and maintaining an appropriate information security management system.
BS 7799 reviews no less than 127 controls in the areas of security policy, organisational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance.
Revised in 2002 to work in line with the ISO 9000 Plan-Do-Check-Act process, BS 7799 adopts a fresh approach to your security when compared with buying that one box solution. It enables the end user to identify risks and apply appropriate countermeasures. The pattern of recent years – which has involved the purchasing of heavy boxes with fancy graphics, flashing lights and impressive graphical interfaces – has now thankfully been discarded (unless there’s a clear risk-based decision-making process to justify the investment, and a review process to monitor its effectiveness).
In effect, you create a balance between people, processes and technology to form an information security management system that maximises security based upon your decisions regarding risk. Too often, we’ve seen a pattern of spending on security that involves under-investment, poor management and an over-reliance on product promises. Following the – almost inevitable – major incident, we then see an over-reaction and excessive spending in a single business area without a proper understanding of the wider risks.
Usually, investment is applied to the area that has suffered the breach, without any assessment as to whether that remains the area of greatest risk and is therefore likely to cause the most damage to the business.
Effective corporate governance
In addition to the obvious benefits of improving information security (such as identifying specific technical areas of focus), the BS 7799 standard offers executives the perfect vehicle for demonstrating effective corporate governance. To this end, the Information Commissioner has stated that BS 7799 is sufficient to satisfy the security requirements of the Data Protection Act.
Your company’s Marketing Department can also make good use of BS 7799 alongside other quality standards to demonstrate to your clients and customers that your organisation values their critical data. Another significant benefit of the standard is that it takes knowledge usually residing within the skills set of key individuals and builds systems that lock the expertise within an organisation. In effect, the firm’s key IT (security) employees become useful rather than indispensable.
While BS 7799 provides an effective framework for improvements, it still presents specific challenges for organisations. For instance, the technical complexity of many IT security solutions is beyond the capability of already-stretched IT Departments. Highly skilled individuals in this area are likely to move on quickly, leaving behind complex solutions without any appropriate management, monitoring and analysis.
Increasingly sophisticated solutions are now presenting overwhelming amounts of data for the IT team to interpret and understand. Expensive intrusion detection systems with SMS alerts may sound like a good idea… but only until you’re woken up at 2.00 am because of a fragmented packet on the company network!
Then there’s the whole issue of human resources managers and how they work with members of the IT team. These sets of individuals are often poles apart within the organisation, but form the basis of the required skills set needed to address information security as contained in the BS 7799 standard. Have you invested heavily in corporate firewalls, but still afford temporary staff access to critical information? As we often say to our clients: “If someone really wanted to steal your information, they’d come and work for you.”
Challenges at senior level
Senior management control of an area in which they have very little expertise itself presents a number of challenges. With your Board of Directors most likely having emanated from a financial or sales and marketing-oriented background, just who is assuming responsibility for information security at the highest level? Do you have a chief information officer on board? Even if you do have Board level responsibility, what meaningful management information do those Board members have access to in order to make informed decisions?
Risk assessment of information security is an area characterised by low probability, high impact scenarios and very little valid data upon which to base important decision-making. Your own life insurance company will have a pretty good idea of your own likely risks, based on little more evidence than simple lifestyle details. IT security, on the other hand, is not so straightforward. A feasible attack scenario can have catastrophic consequences, but how likely is it that your organisation will actually be targeted?
Data in this area tends to be dominated by vendor scare tactics or an understandable lack of openness as businesses hide the real costs of security incidents. Organisations often have poor historical data and little information security expertise that can be applied across various business risk scenarios.
Opportunity knocks…
With challenge comes opportunity. Early movers towards BS 7799 can gain significant advantages over their competitors. Could you be one of the first security professionals in your business sector with the certification? IT security managers should also bear in mind a potentially significant career progression following any successful BS 7799 implementation programme. Perhaps they’d be able to fill one of those missing chief information officer roles?
So when might you come across the BS 7799 standard? Perhaps when you’re writing that next tender to a large organisation or public sector body? Or perhaps you’ll have to gain certification in order to address the concerns of your clients? The standard also offers an ideal way to treat risk during the negotiation of IT-based contracts, complementing the usual Service Level Agreements.
You’ll most certainly discover that, as your awareness of BS 7799 increases, you can start to make use of it when judging your systems suppliers and key business partners.