Intelligent information security
Information security must be carefully planned for obvious reasons. But information expert Ted Humphreys explains how intelligently installed information security can also present opportunities to get a larger return on investment by increasing confidence in services, processes and technology
The UK government Department of Trade and Industry (DTI) 'Information security breeches survey 2002' reported that security incidents cost UK business billions in 2001. It was reported that security is often viewed as an overhead instead of an investment. The survey emphasised that good security allows business to progress.
Businesses today are dependent on IT. Managing business risk associated with IT is about people, processes and a good security culture.
The Organisation for Economic Co-operation and Development recently published guidelines entitled 'Security of information systems and networks' which highlighted the importance of establishing a security culture.
Security risks
Every user and manager ensures the effectiveness of information security and everyone should be aware of the risks in their working environment. They should take ownership and responsibility for protecting assets that are appropriate to their role, and implement effective information security.
Having an effective information security management system (ISMS) is an indicator that a business is:
- fit for purpose
- secure enough to do online business
- fit enough to provide outsourcing services
- fit to share your business information with
Providing confidence and assurance that your business systems and processes are secure is at the core of the ISMS approach.
Information security should not be a one-off purchase of technology bolted on after an incident. It should be an on-going process of development that keeps pace with the constantly changing business environment. It should provide value and an opportunity for businesses to demonstrate that they are fit for purpose.
An effective and up-to-date ISMS demonstrates business responsibility. It shows that a company protects its assets and does not put the assets of its business partners, customers and clients at risk.
A standard to protect
The family of BS 7799 standards deal with the management of information
security. Part 1 of this family was first published in 1995 and then
became international as an ISO/IEC standard (ISO/IEC 17799) in 2000.
This part of the standard is a code of best practice for information
security management.
Part 2 is a specification for an ISMS and provides certification. The certification and audit process model used for part 2 is the same as that used for ISO 9001 and ISO 14000.
BS 7799 part 2 specifies a series of processes to ensure that not only business risks are assessed and treated, but also that there are review and improvement processes in place to ensure the ISMS is up to date. A critical part of having an up to date ISMS is recognising the constantly changing business environment and the effects changes might have. Action must be taken to manage these changes.
Threats to business systems are under constant change. Operations changes, assets changes, utility and value changes, all occur while new opportunities arise and market conditions change. The work force can change as well as the company structure. These and other forms of change all pose new or increased risks, which must be managed to allow a company to say it is still fit for purpose.
The BS 7799 part 2 certification involves an audit of the ISMS to check that the business has suitable processes in place to manage risks, keep the ISMS up-to-date and ensure development of information security. The control system implemented to manage risk is derived from controls given in ISO/IEC 17799 the 'Code of best practice'.
The world-wide take up of BS 7799 part 2 for the purpose of certification indicates awareness of the risks and readiness for action. Lots of market sectors have examples of organisations that have chosen certification eg telecoms, finance, insurance.
The certification process involves many important contributors around the world that shape criteria, standards, and training used for auditing ISMS. To support the certification process IRCA has developed a scheme, criteria and a training syllabus for ISMS auditors to promote an international level of auditor ability.
The ISMS way promotes the culture of security as a way of thinking. This approach makes businesses think about information security risks. Risks need to be treated by management actions and a continual improvement programme must be in place to ensure the ISMS is kept up-to-date and relevant.
About the author
Ted Humphreys is director of XiSEC Consultants Ltd, a UK company
providing information security management consultancy services.
He has been an expert in the field of IT and information security
for more than 27 years and has worked internationally. He is the chair
of the ISO/IEC working group responsible for security management standards
including ISO/IEC 17799 and ISO/IEC TR 13335 (GMITS). He was also
the editor of BS 7799 Part 1:1999 and the editor of the recently revised
BS 7799 Part 2 standard.
|
|
 |
|
 |
 |
 |
|
 |
|
 |
|