Signing up to security standards such as BS7799 could
ease pressure on SMEs
Multinational companies invest a lot of money in IT
security and increasingly expect smaller partners and suppliers to
demonstrate the same level of commitment.
IT security experts speaking at the RSA Security Conference last
month predicted that large companies would in the future specify
minimum security standards in contracts before doing business with
their suppliers.
Many smaller businesses are generating much of their revenue from
fewer large customers. Losing this business because sufficient IT
security could not be demonstrated is not an option.
So what can IT directors do to balance the need for a demonstrated
level of IT security while reducing the time spent on random
security audits requested by potential business partners?
One mechanism to ease the pain is using standards such as BS7799
and ISO17799 (the international version of BS7799), which provide
an internationally recognised best practice security model.
The standards cover 10 broad topics from how to prevent
unauthorised access to information systems through to preventing
loss, modification or misuse of user data. The topics are
deliberately broad, specifying the best practice that needs to be
achieved without dictating how. This allows IT directors to ensure
they can meet the security requirements of larger partners and keep
control of their own security.
However, to successfully comply with such standards, the IT
director must accept the cost of certification - for example, the
training it will require as part of their job role. They should be
aware there will be audits every six months to confirm that
business processes are aligned with the company's certification
requirements.
Alternatively, companies can make up their own security best
practices. However, the risk is that large partners may not be
convinced these security methods are adequate, or companies may
make mistakes which are costly to fix.
There can be a competitive advantages to implementing standards
such as BS7799. This and many other Standards are based on the
"plan, do, check, act" model, which can simplify business processes
and demonstrate that the company takes security seriously.
IT directors must be wary of suggestions that their company could
be standards-compliant rather than certified. Being compliant means
following the standards but without regular audits and no official
certificate.
Although this may seem easier in the short term, without
certification many larger business partners would not be assured of
the company security and may still demand ad hoc, independent
security audits.
IT directors need to accept that audits are a fact of life and,
considering the time pressures they are under, it is better to know
that there will be regular audits which can be planned for, rather
than being hit with an audit unexpectedly.
They should also ensure that they receive training on relevant
security standards. Existing security can then be tweaked to fit
best practice.
If IT directors do not support full certification, they may end up
being responsible for the company losing business because they
could not demonstrate company security practices - a pressure, no
IT director wants.
Arthur Barnes is principal consultant at Diagonal
Security
