Many organisations approach computer security in a fragmented manner. Astonishingly, some believe a firewall alone provides adequate system security policy. While firewalls have their place, protecting the perimeter and preventing unauthorised access to an organisation's IT infrastructure, they do not protect or secure anything beyond a company's boundary.
Beyond the firewall, consumers and business users are worried about buying, selling and even sending information. The paranoia is mostly centred on a few core themes – the purchase of goods online, the holding of personal information, the possibilities of identity theft, fraud and the wholesale resale of personal profiles and spending habits.
There is no doubt that understanding risk and the prerequisite security measures is now of paramount importance. To help customers identify those businesses whose services are indeed secure, there is the British Standard (BS) 7799 – a code of practice for information security management. Any business that can proudly display its BS7799 certificate can claim it safeguards the confidentiality, integrity and availability of its customers' information.
This is why companies, their partners and customers, all of those individuals that make up a collaborative e-community, should insist on BS7799. It is one of the few ways to be sure that all the risks have been identified and effective measures to manage those risks are in place throughout a trading community.
In a nutshell, BS7799 provides over 127 security guidelines, structured under ten major headings, which enable the identification of security controls that are in turn appropriate to a specific business or area of responsibility.
It gives detailed security controls for computers and networks and provides guidance on security policies, staff security awareness, business continuity planning and legal requirements.
The code is in two parts. Part one is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do. Part two is a standard specification for an information security management system (ISMS).
Being able to understand vulnerabilities and their associated risks means a business can begin to take measures that either insure against or eliminate any potential exposure specifically as far as IT systems and infrastructure are concerned.
Risk assessment will inevitably shed light on the precautions and security devices one can deploy, such as the installation of firewalls and the use of encryption technologies.
The best way forward is to understand your information systems, the flow of confidential information both internally and externally, and then decide where your risks are.
This is why BS7799 is becoming a critical business tool, because it will help businesses with customised processes and business rules to assess vulnerabilities, from the chairman's lost laptop to the casual use of the internet for the exchange of confidential data.
The loss of a laptop is sometimes unavoidable and its replacement will be covered by insurance. But the information it holds is a different matter altogether. There are ways of safeguarding information – it should be encrypted for a start and the laptop itself should be password-protected. But data held on a hard drive can also be accessed.
The advantage of certification
The moral of the story is that company policy on the safeguarding of laptops or any form of mobile computing needs to be carefully thought out, as does an organisation's use of the internet for the transport of business-sensitive information. It is not enough to have made investments in certification technology – information travelling on the internet is as tangible as the stolen laptop.
While the laptop has some measure of insurance, the only way to address safely use the internet for the exchange of business sensitive information is to apply a heady cocktail of encryption technologies and digital certification with the added benefit of a means for tracking, controlling and managing the information throughout its life cycle. This will allow businesses point-to-point security, with absolute knowledge of where it has been.
Obviously, as a service provider offering secure information exchange, the advantage of achieving certification is that it reinforces customer confidence in both the quality of the company and its services.
Furthermore, BS7799 sends a clear message to customers by instilling greater confidence in a vendor's ability to remain a trusted partner and one that ensures the integrity and safe-keeping of information. This is because to remain certified requires compulsory ongoing internal audits to constantly comply with the ever-changing standard.
BS7799 will identify how vulnerable a company is, particularly in areas that may currently go unnoticed, such internet usage for the exchange business information and other information based assets. It will enable companies to assess new ways in which to protect them and how to assess their vulnerabilities and risks.
Part 1: The code of practice
As a code of practice, part one stresses the importance of risk management and makes it clear that businesses do not have to implement every single guideline, though it does highlight those risks that need to be addressed. It incorporates all forms of information, including voice and graphics and media such as mobile phones and fax machines.
The standard recognises the need to focus upon non-traditional business areas such as e-commerce, electronic collaborative communities such as those found throughout a supply chain or those involved in high-level business negotiations that increasingly rely upon the internet as a means of information exchange. Similarly, it examines the potential risks involved from outsourcing systems and services, teleworking and the impact that mobile computing may have. Throughout, it becomes clear that information security should be a business enabler, not an inhibitor as it could so easily be.
Part 2: The management standard
This is a practical guide for businesses on how to build an ISMS. To do so, businesses are required to follow a six-step process:
Essentially part two is all about understanding information assets and their value to an organisation. It spells out precisely what an organisation and the assessor need to do in order to ensure successful certification.