Information Security


11 November 2002

Protecting valuable information has always been vital for everyone, from individuals to the largest companies, governments and financial institutions.

News of the latest breach in information security seems to be an everyday occurrence, either on the internet or through other routes. Today we depend more and more on the internet to store and manage information, and this has boosted the size and significance of the threats we face.

The British Standards Institution is known worldwide for its Kitemark of product excellence and as a global leader in setting quality, safety and service standards for industry and commerce.

BSI has an extensive array of products and services to help organisations protect their information systems and electronic data. We can offer:

* The information security standards - Part 1 ISO/IEC 17799 & Part 2 BS 7799

* Registration to BS 7799 Part 2

* Training courses in information security management

* "Proteus" - Information Security Management software

How do the standards help?
ISO/IEC 17799 Part 1 is a standard that contains over 100 security controls to help firms identify elements of their business that impact on information security. BS 7799 Part 2 is a specification to which organisations can be assessed and registered. BS 7799 helps firms identify, manage and minimise the range of threats to which information is regularly subjected. These include internal threats, external threats, accidents, malicious actions and industrial sabotage.

Work started on a practical guide for information security management in the early 1990s, when a group of leading companies including BOC, BT, Marks and Spencer, Midland Bank, Nationwide Building Society, Shell and Unilever combined to develop BS 7799 Part 1, "Code of Practice for Information Security Management".

The specification to which organisations can be assessed and registered - BS 7799 Part 2 "Specification for Information Security Management Systems" - was first published in February 1998 and last updated in May 1999.

BS7799 is based on assuring integrity, availability, and confidentiality of information assets. Assurance is attained through controls that management creates and maintains within the organization. The ten key controls identified by BS 7799 for the implementation of a successful information security program are:
* A documented information security policy
* Allocation of information security responsibilities within the organization
* Information security education and training
* Security incident reporting and response
* Virus detection and prevention controls
* Business continuity planning
* Control of proprietary software copying
* Critical record management processes
* Protection of personal data (privacy)
* Periodic compliance reviews

Following the establishment of BS 7799 in the UK, BSI lead a drive to have BS 7799 be accepted world-wide. The primary thrust was through the International Standards Organization (ISO) and the International Electro-technical Commission (IEC). These organizations agreed to "fast track" the transition of BS 7799, The Code of Practice for Information Security Management, into the international standard ISO 17799 in October, 2000.

Once standard practices are defined it becomes advantageous that these standards become incorporated consistently both regionally and globally. In terms of ISO 9000, the associated ISO-9000 certification offers assurance that products produced by different organizations in different geographical areas will live up to some consistent level of quality expectation. In the field of information security, certification offers an expectation that the security of information systems of different organizations will be managed in a consistent manner. While all companies depend on information to operate their business processes, now business partners, clients and suppliers, exchange much of their information over computer networks. Clearly, the inter-networking of organizations, e-Commerce and the Web has driven the need for information security certification.

How can I get registered to BS 7799?
For an organisation to gain BSI registration for its information security management system, it must pass an assessment by a BSI auditor to BS 7799 Part 2. To achieve this, the firm establishes a management framework as identified in BS 7799. It then asks BSI for an estimate of costs and time-scales for assessment, and submits an application to BSI. BSI then undertakes a desk-top review, conducts an on-site assessment, and makes recommendations. On successful completion of the audit, BSI issues a certificate of registration. This is valid for three years and is supported by routine assessment visits.

What are the benefits?
Registration to BS 7799 gives organisations the tools to safeguard confidentiality, integrity and availability of key information - both for themselves and for their customers. This independent verification delivers a number of valuable benefits:

* Credibility, trust and confidence, customers know that steps have been taken to keep
-their information safe.

* Cost savings, a single breach could cost an organisation more than £100,000.

* Compliance, registration helps show compliance with relevant laws and regulations.

* Commitment, registration helps demonstrate commitment at all levels of the organisation.

Organisations registered to BS 7799 through BSI
Here are a few of our high-profile clients:
* Camelot Group PLC (National Lottery)
* Smile - The internet bank from the Co-operative Bank
* LINK Interchange Network (cashpoints)
* Dai Ichi Kangyo Bank in Japan
* University of Texas, Dallas
* Vodafone

Smile internet bank
The UK-based internet bank "Smile" became the first in the world to be registered to BSI's Information Security Standard BS 7799. Security is of paramount importance to Smile. The company knew the multi-levels of security surrounding its internet systems were extremely robust, but they found it very satisfying to know they have met all the rigorous requirements laid down by BSI.

Link Interchange Network
Link is the UK's most visible and accessible network of cash machines and self-service terminals. Providing a full 'turnkey' service to organisations that do not wish to operate their own ATM machines, Link has a network of 30,000 machines, and processes 85 million transactions a month. Link believes that the recognition that BSI certification provides a further basis for strengthening its reputation and minimising opportunities for potential harm to its business operations.

Vodafone's high-tech data centre in Dusseldorf serves 20 million phone users across Germany and Austria. It is one of Germany's largest data centres, handling many millions of transactions each day for both mobile and fixed phone accounts. Joachim Bellinghoven, managing director of Vodafone TeleCommerce, said: "Security is the key challenge in the mobile electronic commerce environment. We are delighted with this recognition from BSI, which shows our customers and the industry that maintaining a high standard of information security is a central issue for Vodafone."

Reasons to choose BSI
When organisations chose BSI as their business partner, they are also choosing our international reputation for excellence. With more than 90 office locations around the world, BSI has the flexibility and capability to provide a first class service. In addition:

* BSI's BS 7799 registration service is accredited by the United Kingdom Accreditation Service
- (UKAS).

* International recognition worldwide.

* A range of complementary services including the development of standards, systems assessment,
-product testing, certification and inspection, and training courses, materials and seminars.

* Internationally experienced Client Managers who act as primary links throughout and after
-registration, causing less disruption to valuable management and operations time.

* Strong links with other standards and certification bodies and technical consultancies.

* Communication Forums run free throughout the year. BSI experts give advice on developments in all
-assessment and registration products.

Wilma Tulloch on +44 (0)20 8996 6330 +44 (0)20 8996 6330  OR
Marc Edney on +44 (0)20 8996 6330 +44 (0)20 8996 6330