Newcastle Building Society has used its work to comply
with a Federation Against Software Theft (Fast) software licensing
audit as a stepping stone to achieving BS7799 information security
certification.
Pat Watson, information security manager at Newcastle Building
Society, said that although it was necessary to prove to Fast that
the firm's software licensing regime was in order, she was able to
get a tangible payback for the company's auditing efforts.
The building society has been following BS7799 best practice
guidelines for the past five years, and last month it achieved
formal certification.
A major part of the preparation for achieving BS7799 compliance
was covered under the Fast certification programme, which Newcastle
Building Society undertook in 2003, 2004 and 2005, achieving the
Fast Platinum award.
For its Fast audit, Newcastle Building Society created policies
for software compliance, centralised IT procurement, and audited
1,100 PCs and more than 100 applications to ensure each was
licensed.
"The best way to tackle a software audit is to trace invoices,"
Watson said. In some cases, as with the society's Lotus Smartsuite
product, Watson had to trace back to the early 1980s, when the
package was first purchased, to find the original licence.
Watson said that throughout this process a major goal was to
achieve BS7799 certification. "Achieving Fast certification ticked
a number of BS7799 boxes. It was quite a lengthy process as we had
to do two years' preparatory work."
Certification proves to business partners that the organisation
has up-to-date security policies and promotes a culture of
information security, said Watson. It also helps with regulatory
compliance.
Thomas Raschke, senior analyst for IT security at Forrester
Research, said, "A lot of money is being wasted on regulatory
compliance. The advantage of a standard like BS7799 is that users
can make an educated decision on whether they really need Fort Knox
levels of security. You can identify where your real security needs
are."
David Lacey, former chief security officer at Royal Mail, who
developed the original BS7799 standard, said, "The key to
certification is to have a process." Lacey recommended any business
not already certified to follow BS7799 best practices in IT
security.
Building society keeps skills in-house
Newcastle Building Society decided to improve the skills of its
own staff rather than pay for external consultants to drive the
organisation through to BS7799 compliance.The company paid for
information security manager Pat Watson to attend a three-year MSc
course in information security and computer crime, which included
modules on BS7799. Watson also took a one-week International
Register of Certificated Auditors course for BS7799 auditors.
"The course puts BS7799 into context, has saved time and has
given me a thorough understanding of the standard," she said.