It may have a low profile now, but could the BS7799 standard
finally get the topic of information security out of the closet and
into the boardroom? Alion Classe reports
Apparently British firms don't know a good thing when they see it -
or perhaps they just haven't seen it. Though BS7799 has been around
since 1995, it isn't exactly a household name. Next week's DTI
information breaches survey will reveal that just 6% of information
security managers could name the standard.
Kevin Black, director of sales and marketing with Internet
Security Systems (ISS), comments, "The main reason the standard
doesn't yet have great visibility is that security is still largely
seen as the preserve of security specialists and gurus." Even
companies with a lot staked on e-commerce projects often pay
alarmingly little attention to security issues, Black reports.
On the other hand, there's a high degree of awareness among
security professionals, many of whom have greeted the standard as a
useful tool for explaining security concepts, and hence the
function of their various products and services.
Interest is not limited to the UK: MIS Corporate Defence
Solutions, which has been certified under BS7799 itself and also
helps other companies to prepare for certification, has received a
lot of overseas enquiries, including from the US.
"The current version of the standard is non-UK specific," says
MIS-CDS consultancy manager Julie Kenward. She expects it to become
an ISO in the near future, although some other consultants are
sceptical about whether this will happen.
The value of BS7799
What do its fans like about BS7799? Mostly, that it encourages a
coherent approach to information security. Too often, the typical
user organisation's approach to security has tended to be ad hoc -
a firewall here, a smidgin of encryption there - with no overall
strategy for managing risk.
Colin Robbins, product strategist with Nexor, thinks the
industry is partly to blame. "As soon as a security fear is
mentioned, technologists start talking about PKI or something, and
before you know it, you may have spent half a million on technology
when an insurance policy might have been more appropriate. The good
thing about the standard is that it's pragmatic. It says: 'Let's
identify risks and take appropriate measures'."
It's not that anything revolutionary is being attempted here -
the contents of BS7799 have much in common with assorted security
management guidelines, procedures and methodologies used by
consultants for decades. But none of these approaches has achieved
industry-wide acceptance. In BS7799, security experts hope
companies will eventually recognise a universally applicable model
and one endorsed by a bevy of blue-chip organisations along with
the DTI and BSI.
Its admirers see BS7799 not just as a certification standard but
as a guide for anyone wanting a sensible approach to security.
Graham Welch, RSA Security vice-president of the UK, France and
Benelux, says, "The standard is extremely good guidance; the
articles associated with it are useful for raising awareness of
where the risks lie." Kenward agrees, "Even if you don't want to go
for the certification, it's worth complying with the standard
because it represents best practice in looking after
information."
Is it too general?
An earlier BSI effort, BS5750, the quality management standard
which became ISO9000, was sometimes accused of bureaucracy. One
critic claims that compliance adds a one man-year overhead to even
the smallest project. "It guarantees that your quality systems are
properly documented, but not that your products are of good
quality," said another.
BS7799, on the other hand, is generally considered more
practical and less likely to generate gratuitous paperwork. In its
current version, advocates feel that it can be applied
realistically by even small companies.
Kay Ruddeforth is business manager with BSI Global Quality
Services, the commercial wing of BSI which, along with a handful of
other bodies like Det Norske Veritas (DNV) and Lloyds Register
Quality Assurance, offers to certify organisations for BS7799
compliance. She explains that BS7799 allows each organisation to
"pick and mix" the relevant controls. "So a small company can
choose only the controls that are relevant, as long as it can
justify why it hasn't implemented the others."
Some say the standard still errs on the side of generality. Neil
Barrett, technical director of security consultancy Information
Risk Management, finds BS7799 useful in many respects, and commends
it as "sane and comprehensible". But he says, "The standard asks,
for example, if you've got an antivirus policy, but the policy
might be to upgrade every week or every year - one of which is
clearly adequate and the other not."
Accrediting scheme c:cure fills in some of the gaps, he
concedes, by ensuring that auditors have a real-world appreciation
of what constitutes an adequate policy, but Barrett would also like
to see BS7799-approved procedures that reflect best industry
practice - for example, recommending a monthly virus update,
assuming that proved to be the optimal frequency.
But ISS's Black argues that its generality is what gives BS7799
a long shelf-life. "Obviously, new types of security breach are
always going to need a rethink of security policies. Building
security is a well-established discipline, but ram-raiding can
catch them on the hop for a few weeks. Implementing BS7799 should
mean you have a process in place for dealing with new types of
threat."
What's involved in getting a certificate
So what does it take to get certified? Ruddeforth explains there
are two stages to an audit. "The first stage is to review the
company's risk assessment and how they decided which of the
controls from BS7799 were relevant to them. Then, not more than six
weeks later, we go back and look at the policies and procedures to
see if they're working effectively and in accordance with the
standard. That involves interviewing people working at the
coal-face to see if, for example, passwords are being used as
they're supposed to be."
The upshot is either a statement by the auditors that the
requirement is met, perhaps with a recommendation of further work
in specific areas, or a statement that the organisation doesn't
meet the requirement.
How much work is involved in the audit? Ruddeforth estimates
that the first stage takes about two days and the second about four
days in a medium-size company. Of course, a lot more work goes on
behind the scenes - a typical elapsed time for preparation might be
six to nine months, she says, much of which would be devoted to
risk-assessment. User organisations may choose to bring in security
consultants to help with the preparation.
Insight Consulting is one of a number of firms in the security
and IT industries that have decided to take their own medicine and
get certified themselves as well as help other companies to do so.
Partner Ian Glover says that although the company was already
fairly confident about its technical security, this was still a
non-trivial exercise. The firm went through a staged process -
including scoping, gap analysis, statement of applicability,
risk-assessment, improvement plan - and emerged with some
worthwhile benefits along with its certification.
"The process clarified our approach and improved our procedures
in areas like incident reporting," says Glover. Now the firm will
be reassessed by certifying body DNV every six months to ensure
continued compliance, and especially to make sure that policies and
practice keep pace with any environmental changes.
Gaining a higher profile
Though BS7799 may lack visibility at the moment, that situation
looks set to change. The new Data Protection Act, which came into
force on 1 March 2000, may help to raise awareness. The Data
Protection Registrar's document, Preparing For The New Act, states,
"Reference to BS7799 may help data controllers assess the adequacy
of their current security regime."
On the other hand, awareness of the Act itself is, at best,
patchy, points out MIS-CDS's Kenward, who recently had a letter
from a credit company that mentioned the 1984 Data Protection Act
rather than the latest 1998 version.
Having implemented BS7799 could be a help in the case of a legal
dispute. George Gardiner, a partner in the IT and telecoms group of
law firm Tarlo Lyons, says, "In establishing whether a company is
accountable for a breach of security, the courts will look to see
whether it has employed adequate security methods.
Following BS7799 can at least indicate to the court that you're
aware of the problems and are doing something to secure the
company, using a recognised reference model." Of course, you would
have to show that you'd implemented and were continuing to adhere
to the model - official BS7799 certification might help here.
Insight's Glover points out that BS7799 could also be a useful
aid to compliance with the corporate governance demands associated
with the Turnbull Report. This fact might attract some attention
from any directors who realise they can be personally liable if
their companies don't give due attention to risk management.
Security issues relating to e-commerce - a new emphasis in the
latest version of the standard - could also raise its profile.
Smile, the Co-op's online bank, is among the first companies
outside the security industry to have been certified under BS7799
(with help from Insight Consulting) and evidently hopes that
emblazoning its Web site with the fact will reassure Net-shy
customers.
"Smile is safe - it's the only Internet bank in the world to be
accredited to BS7799 for information security management by the
British Standards Institution," asserts its home page. Announcing
the certification in January, Keith Girling, director of technology
at The Co-operative Bank, said, "We knew the multi-levelled
security surrounding our Internet systems was extremely robust, but
it is very satisfying to know we have met all the rigorous
requirements laid down by the BSI."
The growth of business-to-business e-commerce could give another
fillip to BS7799. Malcolm Skinner, product marketing manager with
Axent Technologies, expects to see large companies encouraging, if
not forcing, smaller suppliers, partners and agents to get
certified. "On the whole, the largest companies appreciate the
value of information, and their obligation to look after
information about third parties. They will be looking for an
indication that other companies they share information with have
taken steps to safeguard it. BS7799 is an obvious way of achieving
that."
- The British Standards Institute (www.bsi.org.uk) has
information about both the standard and its own certification
service.
- Information about BS7799 and c:cure: www.c-cure.org
- Den Norske Veritas claims to be the first certification body to
get c:cure accreditation.
What are BS7799 and C:CURE?
BS7799 is the British Standard for information security
management. It addresses the confidentially, integrity and
availability of information and has two parts: a "code of practice"
and a "specification".
First published in 1995, the standard appeared in a revised
version last year. The 1999 version replaces references to "IT"
with "information", and has been revised in other areas to make it
clear that the information security issue is not restricted to the
IT department but is a corporate responsibility. Controls
specifically to address e-commerce have also been introduced.
The standard is looked after by a committee of the BSI's
information arm BSI-DISC. Companies like Marks & Spencer and
Shell were involved in the consultations that produced the
standard, along with IT organisations like the CCTA and BCS.
As with other standards, two separate validation concepts apply:
certification of organisations that comply with the standard, and
accreditation of those bodies and individuals who audit
organisations for compliance.
c:cure is a scheme for accrediting those who intend to audit
organisations for compliance with BS7799, with accreditation paths
for both certification bodies and individual auditors.
The scheme comes under the aegis of BSI-DISC and involves UKAS
(the United Kingdom Accreditation Service), the BCS and IRCA (the
International Register of Certified Auditors). Just to complicate
matters, c:cure accreditation isn't mandatory for BS7799
certification bodies and auditors.