BS7799; what can it do for you? asks Ian Mann, Senior Consultant, ECSC Ltd.
We see more recognition that Information Security is critically important to your business success, as we constantly help people either to improve their Information Security or to deal with the consequences of inadequate provision. There is no shortage of security vendors and products. So why aren’t we all getting more secure? Are you dealing with less security incidents ‘Are you even at the stage of knowing whether you have a problem’
<br><br>
DP Act
<br><br>
The Data Protection Act, and principle seven in particular, places responsibility to keep your data secure and legal liability certainly helps to focus the minds of senior executives. But how does an executive judge their security ‘Are the IT team really as good as they say’ Or, as in some cases, are they the highest risk due to their use of IT and management systems derived from constant fire-fighting and juggling impossible workloads. The standard that organisations are increasingly turning to is BS7799 (and its ISO equivalent ISO17799). First issued in 1995, this standard effectively covers the broader organisational issues related to establishing and maintaining an appropriate Information Security management system (ISMS), covering 127 controls in the following areas: security policy; organisational security; asset classification and control; personnel security; physical and environmental security; communications and operations management; access control; systems development and maintenance; business continuity management; and compliance.
<br><br>
Fresh approach
<br><br>
Revised in 2002 to work in line with the ISO9000 Plan-Do-Check-Act process, BS7799 takes a fresh approach to your security compared with buying that one box solution ‘it enables you to identify your risks and apply appropriate countermeasures. The pattern of recent years of buying heavy boxes with fancy graphics, flashing lights and impressive graphical interfaces is discarded, unless there is a clear risk-based decision-making process to justify the investment and a review process to monitor its effectiveness.
<br><br>
People balance
<br><br>
In effect, you create a balance between People, Process and Technology to form an Information Security Management System to maximise security based on your decisions regarding risk. We have too often seen a pattern of spending on security that involves under-investment, poor management, and over-reliance on product promises. Following the inevitable major incident, we then see over-reaction and excessive spending in a single business area without a proper understanding of the wider risks. Usually, investment is applied to the area that has suffered the breach, without any assessment as to whether that remains the area of greatest risk and therefore likely to cause the most damage to the business.
<br><br>
Showing governance
<br><br>
In addition to the obvious benefits of improving Information Security, such as identifying specific technical areas of focus, the BS7799 standard gives executives the perfect vehicle for demonstrating effective corporate governance. The Information Commissioner has stated that BS7799 is sufficient to satisfy the security requirements of the Data Protection Act. Your marketing department can make good use of BS7799 alongside other quality standards to demonstrate to your customers that you value their critical data. Another significant benefit of the standard is that it takes knowledge that usually resides within the skill set of key individuals and builds systems that lock the expertise within organisation. In effect, your key IT employees become useful rather than indispensable.
