Newcastle Building Society has used its work to comply with a Federation Against Software Theft (Fast) software licensing audit as a stepping stone to achieving BS7799 information security certification.
Pat Watson, information security manager at Newcastle Building Society, said that although it was necessary to prove to Fast that the firm's software licensing regime was in order, she was able to get a tangible payback for the company's auditing efforts.
The building society has been following BS7799 best practice guidelines for the past five years, and last month it achieved formal certification.
A major part of the preparation for achieving BS7799 compliance was covered under the Fast certification programme, which Newcastle Building Society undertook in 2003, 2004 and 2005, achieving the Fast Platinum award.
For its Fast audit, Newcastle Building Society created policies for software compliance, centralised IT procurement, and audited 1,100 PCs and more than 100 applications to ensure each was licensed.
"The best way to tackle a software audit is to trace invoices," Watson said. In some cases, as with the society's Lotus Smartsuite product, Watson had to trace back to the early 1980s, when the package was first purchased, to find the original licence.
Watson said that throughout this process a major goal was to achieve BS7799 certification. "Achieving Fast certification ticked a number of BS7799 boxes. It was quite a lengthy process as we had to do two years' preparatory work."
Certification proves to business partners that the organisation has up-to-date security policies and promotes a culture of information security, said Watson. It also helps with regulatory compliance.
Thomas Raschke, senior analyst for IT security at Forrester Research, said, "A lot of money is being wasted on regulatory compliance. The advantage of a standard like BS7799 is that users can make an educated decision on whether they really need Fort Knox levels of security. You can identify where your real security needs are."
David Lacey, former chief security officer at Royal Mail, who developed the original BS7799 standard, said, "The key to certification is to have a process." Lacey recommended any business not already certified to follow BS7799 best practices in IT security.
Building society keeps skills in-house
Newcastle Building Society decided to improve the skills of its own staff rather than pay for external consultants to drive the organisation through to BS7799 compliance.The company paid for information security manager Pat Watson to attend a three-year MSc course in information security and computer crime, which included modules on BS7799. Watson also took a one-week International Register of Certificated Auditors course for BS7799 auditors.
"The course puts BS7799 into context, has saved time and has given me a thorough understanding of the standard," she said.