Securing the Security Standard

June 30, 2003

The DTI’s 2002 Security Breaches Report found that a staggering 44% of UK businesses had suffered at least one malicious security breach in the past year alone – each costing between £30,000 and £500,000. But these figures could be just the tip of the iceberg as many businesses fail to report such incidents. Yet for many, faced with an economic downturn, IT security expenditure continues to remain a low priority. But the DTI now intends to change their minds with the help of the internationally recognised information security management standard ISO17799.

To date, only about 80 UK businesses have achieved ISO17799 accreditation, among them Camelot and the Internet bank Smile. The DTI now faces a challenge to encourage others to follow suit. So, to help its cause, the DTI has publicised the fact that it may make ISO17799 compliance mandatory, unless UK businesses start to take their security more seriously. Ironically it has acknowledged that it will not be compliant itself until such legislation is implemented.

The Seventh Data Protection Principle

The Information Commissioner has even included a question on its annual notification form asking whether a business is ISO17799 compliant. Whether he will take a greater interest in those not compliant is unclear.

The Seventh Data Protection Principle of the Data Protection Act 1998 requires that a business (ie a data controller) processing personal data (ie information relating to an identifiable living individual) should ensure a level of security appropriate to:

· the harm that might occur from such unauthorised or unlawful processing or accidental loss, destruction or damage; and

· the nature of the data to be protected.

The data controller should also take reasonable steps to ensure the reliability of all employees who have access to such personal data and that, where the data controller has sub-contracted or outsourced its data processing obligations to a third party (ie a data processor), such processing only takes place under a written contract.

The data processor must give the data controller sufficient warranties and indemnities in respect of its technical and organisational security measures.

If security lapses by the data processor lead to the loss of personal data, the data controller will be held liable for fines and damages and should therefore audit the data processor’s security measures regularly and, ideally, require that the processor can demonstrate ISO177999 compliance.

Liability for loss of IP rights and confidential Information

Loss of business assets, such as IP rights and confidential information, may occur too if there is a breach in security. Therefore encryption should be seen as an essential business tool when protecting a business’s most vital assets if confidential information is sent over the Internet. Yet surprisingly few companies make use of encryption in the UK where its uptake has so far been slow.

Turnbull Report

Since the Institute of Chartered Accountants published its Turnbull Report in 1999, all listed companies have been obliged to implement some form of internal controls on risk management. Consequently, the Stock Exchange Listing Rules now require directors to update shareholders on their company’s risk management controls.

In view of the corporate governance requirements under the Turnbull Report, CEOs should not be leaving IT security in the hands of the IT department alone.

Key principles of ISO17799

ISO17799 is an entry-level good practice framework for information security. It identifies key issues relating to:

§ organisational security

§ asset classification and control

§ personnel security

§ physical and environmental security

§ access control

§ mobile computing

§ teleworking.

All security procedures and responsibilities should be clearly identified in a staff security manual. Staff should undergo security checks upon joining a company and should continually be made aware of relevant security issues. Common sense security measures, such as locking doors and marking IT equipment with security ID, are the norm and will be expected by a business’s insurers.

Achieving ISO17799 accreditation

ISO17799 registration involves devising a workable information security management framework set out in BS7799-2, the second part of ISO17799. In 2002, the Organisation for Economic Co-operation and Development (OECD) published Guidelines for the Security of Information Systems and Networks, and BS7799-2 was revised accordingly and is now known as BS7799-2: 2002.

Businesses must adhere to the measures specified in BS7799-2: 2002 in order to achieve accreditation. To do this, they must complete four steps, identified in BS7799-2: 2002 as the “Plan, Do, Check and Act” requirements:

Step1: Undertake a business risk analysis

· define the scope of the information security management system;

· define an information security management system policy;

· identify the risks that are faced by the business; and

· select control objectives.

Step 2: Internal controls are needed to manage the identified risks

· implement the risk treatment plan;

· change the culture of employees; and

· institute physical security measures.

Step 3: Regular and robust management reviews to assess effectiveness of security measures

· start monitoring procedures;

· conduct regular internal reviews and audits; and

· evaluate any residual risks.

Step 4: Take necessary action to adjust the security measures

· identify improvements;

· take appropriate corrective and preventative measures; and

· communicate the results to interested parties.

Key documents produced during this process outlining security controls and procedures will be used by the external auditor to award full ISO17799 accreditation, although he or she may make further recommendations with which a business will need to comply before it is granted.

Once obtained, regular audit visits will be carried out throughout the three-year period for which accreditation is valid.

Conclusion

The global standardisation of security measures, combined with the benchmarking proposed by the OECD Guidelines and ISO17799, means that ISO17799 accredited businesses will find themselves at a clear advantage both at home and abroad. Businesses possessing the internationally recognised ISO17799 accreditation could well gain the edge in competitive tendering. An accredited company is also likely to win favour with its customers, shareholders and insurers.

It is these kinds of commercial advantages that the DTI should now be pushing in its bid to sell the benefits of ISO17799 accreditation to more UK companies. Pressure should also be put on the DTI to give funding or extend tax relief to SMEs aiming to achieve such accreditation.