Network security consultancy Corsaire report on how a security policy should underpin information security.
The DTI Information Security Breaches Report (2002) highlighted security policy as the most basic and fundamental discipline in information security. Despite this fact, only 27 per cent of the UK businesses it surveyed had a documented security policy in place, rising to 59pc for larger companies. Although this figure has doubled since the previous survey undertaken in 2000, the number still remains low. With such a huge amount of data now held on networked systems and the increasing transfer of information across the Internet, it is imperative that organisations address information security as a business issue, with policies and procedures underpinning technology. Security policy refers to the collection of procedures, standards and guidelines governing all aspects of an organisation’s network, most particularly where access to the Internet is concerned. It is the set of rules, either procedural or enforced by technology, which governs the use of IT systems, defining what behaviour is and is not permitted, by whom and under what circumstances.
<br><br>
DPA 1998
<br><br>
Unauthorised access and other security incidents resulting from a lack-of or an ineffective security policy not only increase the risk of loss of business but may also have legal implications for the organisations involved. The Data Protection Act (1998) requires adequate protection of personal information throughout the data’s lifecycle, from collection to transmission, storage and destruction. If the Act is contravened and an individual is found to have suffered damage, the data controller can be ordered to pay compensation. Worryingly, the DTI report found that only 48 per cent of UK businesses had documented procedures to ensure compliance with this Act. The Turnbull Report states that risk management is the responsibility of the whole board and internal controls need to be in place. These controls should be reviewed once at least once a year. The recommendations in this report, written in 1999, became mandatory in December 2001. If the directors do not comply, they must communicate this fact to the shareholders and risk the wrath of the market. Whilst employers have rights to protect their systems from abuse, employees also have rights under The Human Rights Act (1998). Under this Act employers must identify and communicate when they will and will not read an employee’s email. This may be necessary, for example, in the event of a security incident investigation.
<br><br>
About BS 7799
<br><br>
The British Standard BS7799 is widely becoming recognised as an important framework for the management of information security. Its origins go back to 1993 when the DTI sought to produce a code of best practice for secure on-line business. By consulting with big-name corporations, they introduced a set of security standards which are now recognised worldwide and have since become part of the international standard ISO17799. Adhering to the BS7799 standard reduces legal accountability (the standard is in compliance with the Data Protection Act for example) and provides the first nationally recognised benchmark upon which an organisation can build a bespoke security policy.
<br><br>
Ad-hoc infosec
<br><br>
Unfortunately, in many organisations which have a documented security policy, the procedures and standards have been put in place by IT professionals who lack the commercial knowledge to ensure that it addresses the company’s business needs. As a result, with or without the presence of a security policy, information security is often ad-hoc with little or no strategic planning and inappropriate distribution of funds. Furthermore, employees will often try to circumvent security measures that they feel are excessive, as the reasons behind security practices have not been effectively communicated. The DTI report stated that 16 per cent of large businesses attributed their worst security incident in 2001 to poor training on security issues. The report found that non-compliance with security policy often only came to light in the event of a security incident.
<br><br>
Periodic review
<br><br>
A good security policy will have a substantial number of control requirements and be comprehensive in addressing the business needs of the organisation. It should also be reviewed periodically to ensure that it continues to apply as those needs evolve. Fundamentally it must be delivered across the organisation, most effectively via the desktop and through training. Outsourcing the development and deployment of security policies has enabled many organisations to ensure their effectiveness in addressing the needs of the business as a whole. Specialist consultancies can advise on compliance to legislation and recommended standards and ensure that the technologies in place are adequate and appropriate. The DTI report found that 60 per cent of businesses that had a security policy in place in 2001 had outsourced its development.
<br><br>
Overhead or investment
<br><br>
It is a sad fact that information security is often treated as an overhead rather than an investment. Many organisations consider a firewall and anti-virus software as adequate protection without properly assessing their business needs. No two organisations will have the same security policy requirements and what is more, without a policy it is impossible to ascertain whether the security needs of the organisation are being met. A security policy will define the role that IT security plays in supporting the requirements of the organisation, helping to identify the information assets which need safeguarding and will ensure that funds are distributed appropriately in the implementation of technology.
