June 24 2002
This article first appeared in Information Security Management magazine
Past experiences of 'standards' like ISO 9000 may be the reason that so many IT managers are steering clear of such accreditations, but Roger Wilmott argues they are missing out on a valuable resource for ISM in the form of BS 7799.
A recent DTI survey of UK firms found that only 15% of those questioned were aware of the contents of BS 7799. I'm not surprised, given the previous experiences of most UK organizations. Mention 'standards' and you'd be reminded of the accreditation process for ISO 9000/ BS 5750 - piles of documents to read and multiple forms to fill in. IT managers are more interested in solving problems than getting accreditation for what they have already done.
As one IT manager told me: '[ISO 9000 is] less about helping solve a problem - which is what the IT manager needs - and more about putting a tick into a box to keep the auditors happy.' It is not surprising that talk of a new standard is causing many managers to run for the hills.
In fact, they are ignoring a valuable resource. BS 7799 provides real, practical guidance by providing a methodology and specification for information security management across the whole organization.
BS 7799, which includes ISO 17799, provides best practice recommendations for information security management, for use by those who are responsible for initiating, implementing or maintaining security. It is intended to provide a common basis for developing effective security management practices and to provide confidence in inter-company trading agreements and business partnerships. Approximately half of the material covered by BS 7799 is specific to IT; the other half relates to the security aspects associated with people, policies and procedures, and therefore implementing BS 7799 requires the involvement of HR, legal and facilities, as well as IT. Many of the people that use BS 7799 are not looking to gain certification, but are using it because it provides such a useful framework to drive a comprehensive security policy.
Although BS 7799 originated in the UK, it hasn't been widely adopted here. This is not the case in other countries, where the benefits are better understood: Japan, India, Australia, Taiwan and Korea are all early adopters. The encouraging news is that although only 15% of UK companies surveyed by the DTI were aware of the standard, of those that were, 38% have implemented its recommendations.
There is a clear role to be played by IT managers in educating their organizations about the advantages of BS 7799. Many businesses recognise areas of significant exposure and put some kind of prevention mechanism in place, such as a firewall or anti-virus application.
However, this is akin to securely locking the doors in a house to prevent a burglary, while leaving all the windows wide open: an organization is only as secure as the weakest point of access. Another approach is for organizations to take a 'reactive' stance, to patch up a security hole once a breach has occurred.
Although this action may address a particular incident, it may not address other areas of the business where the same incident may occur. In any case, approximately 80% of security incidents are caused by people within the organization and are predominately due to carelessness or ignorance rather than malice.
Information security control policies and internal processes and procedures are just as important as external safeguards; both internal and external considerations are covered in BS 7799. BS 7799 is a top-down approach and, because of this, it is more likely to get senior management commitment than piecemeal or reactive solutions.
The UK government is also driving the adoption of BS 7799. The official website of the user group is www.xisec.com, providing information resources to help in the understanding, awareness and implementation of information security management and BS 7799.
An example of the government's strong commitment to the standard is a directive stating that by 2008, all e-commerce must be compliant with BS 7799. Nevertheless, organizations should not view the situation as themselves being forced to comply with the standard. BS 7799 is an extremely useful tool for protecting the organization, and should be in everyone's best interest.
This article first appeared in Information Security Management magazine (www.infosecuritymanagement.com)