IT directors should be wary of taking full responsibility for their
corporate information
During the war it was well recognised that national security was a
national issue. "You never know who's listening" posters, showing
Hitler eavesdropping on bus conversations, became ingrained on the
popular imagination.
Similarly, corporate security is a corporate issue, especially
when it comes to information - an asset to yourselves, a weapon in
the wrong hands.
Although few organisations would fail to claim they had a
corporate information security policy, how do they know if it is
good enough? In this arena, as in so many others, there is a
British Standard to guide the uncertain.
BS7799 was drawn up five years ago, and is currently going
through the fast track process of becoming an international
standard, ISO 7799, due by the end of the year.
The standard, which also covers developments in e-commerce, is a
standard for information security, not IT security, emphasises
Peter Restell, security expert at the British Standards
Institution. "It covers all media," he points out.
Inevitably, the most predominant media are those associated with
IT, from floppy discs to clickstreams, which is why, historically,
the person most likely to be responsible for corporate information
security is the IT director.
"They do get the main brunt of the work," acknowledges Restell.
"Up to 80% of the implementation of the security standard is to do
with IT, so if IT has to see to that, it might as well take on the
whole of the information security responsibility."
The problem is that IT directors, not unnaturally, tend to focus
on the T, not the I. This presents two dangers. The first, says
Restell, is that non-IT media, such as good old paper, can be in
danger of being forgotten about, especially in the Internet age
with all the current focus on issues such as encryption and credit
card security. Moreover, on a larger scale, information security is
also dependent on physical factors.
"Can you protect your corporate information if the building
burns down?" queries Restell.
The second problem is that a good security policy has to have a
large "people" element in it, which may be overlooked by those in
IT, or they may not know how to handle it.
"You get cultural issues creeping in," says Restell. "How many
IT people know how to run a good staff-awareness programme?"
Just sending round a mass e-mail warning about not putting
passwords on post-it notes, or putting a reminder on the corporate
intranet that all staff should read the corporate security policy
manual, is not an adequate response.
Security is a large, complex issue, and in large and complex
organisations many people will be involved. They need to work
together, early and often, urges Restell.
"I talked to one organisation that had 50 information security
officers who were all told to implement BS7799," he recalls. "They
all rushed off to do so in their own way."
Inevitably, there was inefficiency and duplication of effort.
"There was no culture to do anything about facilitating a meeting
in a regular forum to compare notes," says Restell.
Nevertheless, BS7799 need not be implemented big-bang
fashion.
"You don't have to implement it in the whole organisation at one
go," says Restell. "You can do it piece by piece and make gradual
progress."
It makes sense to first focus on the areas of highest risk,
where there is most likely to be a breach.
"You might start with a factory that handles very sensitive
technical drawings - which you may be manufacturing from (but which
belong to another company)," says Restell. "That would be the big
win."
The key point to emphasise is that information security is part
of corporate risk management, which is why it always has to be put
into context, especially when it comes to deciding how much effort
and money to put into the project.
As Restell comments, losing a million pounds might be a lot less
damaging to a huge bank than it would be to a small business, so
the effort to prevent that loss would be proportionately greater in
the smaller organisation.
Which is why - however much of a mental turnoff security might
be - responsibility for it ultimately has to rest at the very
highest levels of corporate governance.
"It must be a policy signed by the highest individuals in the
company," says Restell. "It's a complex subject and difficult to
implement."
But the penalties of security breaches can be painfully public -
and very costly, both in terms of credibility and cash.
Security in a nutshell
- The cost of good security is the cost of insecurity - what
price will your organisation pay if security is breached?
- Internal staff are a far greater security risk than external
intruders - electronic or physical
- Security breaches in e-commerce can cause damage very fast -
credit card fraudsters can spend a lot of other people's money in a
very short time
- False confidence is more dangerous than lack of confidence that
you are adequately secure
- Unlike physical property, it can be difficult to know when
information has been stolen - it may have been copied without your
knowledge
- Information security policies must track developments in IT -
an out of date policy is as good as no policy at all
- Employee awareness of the importance of security is crucial,
but staff buy into corporate policies best when it affects them
personally, and they have an explicit responsibility to do
so.