Managing Security

Certification could be the best way to managing Information Security Systems

Certifications are important for all individuals - from getting into universities to securing a good job. The world gets its first impression and judges you by the supporting documents that accompany your resume.

But what about your business? We often deal with companies and business partners because they provide a product or service that meets our business needs. As the global economy gets meshed with global networks and more business gets done electronically, there will soon come a time when people won't do business with you if they can't be sure that your organization's security policies are in line with theirs.

One of the most important enterprise certifications in the security space is the BS7799. Perhaps, the most important thing a certification like BS7799 brings to the industry is a security datum - a common and 'more' absolute reference point, rather than saying: "We have enterprise-class end-to-end security made up of the best-of-breed technology."

BS7799 Background

The British Standard (BS) 7799 specifications is an Information Security Management System (ISMS) that was established in 1999 by British Standards Inc. (www.bsi-global.com) and consists of two parts. BS7799 Part 1 is a Best Practices Standard that is simply a Code of Practice. Anyone can buy the standards document and implement the security's best practices. In fact, the ISO 17799 Standard is equivalent to BS7799-1.

For enterprises seeking certification, what is more important is BS7799 Part 2, which is the specification that leads to certification. A revised version of Part 2 of BS7799 - 2 published in 2002 incorporates the ISO9000 quality assurance standard and the ISO14000 environmental control standard.

Both these standards bring a key continuity and Change Management system to BS7799, commonly known as the PDCA (Plan, Do, Check, Act) cycle (see figure 1). This ensures that a properly deployed ISMS will constantly evolve, along with current prevailing threats.

The harmonization with ISO9000 and ISO14000 allows for the PDCA review process, so that enterprises can respond to change, and improve the ISMS over time.

Gaining Momentum

While the standard emerged in the UK, BS7799 is gaining momentum elsewhere. The XiSEC global registry now lists nearly 1000 companies with accredited BS7799 certificates. India has the third largest base of companies, with BS7799 certifications. However, it pales in comparison with Japan, which has 463, US, interestingly figures at No.10, with only 13 certified companies (see figure 2).

The list of certified Indian companies largely consists of software export, ITeS and consultancy firms. However, recently the Mumbai Police interactive infoline '1090' received the BSI stamp of approval - making it the first police call centre in the world to get such a distinction. The 24 hour toll-free number which launched just four months ago, offers users information on everything from passport verification to arms and ammuniation licences.

Benefits

The benefits of certification if leverged effectively can bring business benefits that far outweigh costs. Security certifications are all about accountability to your shareholders, customers, partners, and your own company employees.

Increased customer confidence: Having this infrastructure in place gives clients valuable reassurance that their data is being treated in confidence and being managed as per the best practices (BS7799). The recent past has seen a focus on security issues in new tenders with customers starting to be far more conscious about security and the implications of information loss especially in the UK & US.

Compliance to BS7799 gives customers confidence that the vendor is managing data according to Best Practices.

Increased productivity: BS7799 allows you to implement and enforce working practices that greatly benefit the organisation. Reduce staff time spent surfing and downloading information from the Internet not related to work. Eliminate the staff's sending and recieving (potentially damaging) emails not related to work. Stopping telephone calls also not related to work.

Avoid misguided investments: Most businesses have many safeguards throughout the organisation. Implementing BS7799 will ensure that you have the right level of protection to suit all your Information Systems. Your mission critical information needs to be watertight, but overprotecting less important data can be costly, and make your business inefficent.

Business availability: A business continuity plan that suits the business and not just the IT department. The BS7799 assessment identifies to a company which of its information assets are critical to the success of the business. This enables you to :

Reduce possibility of internal breaches: With a majority of all security breaches being internal, you may need to look at whom you are employing. BS7799 enables you to introduce measures through the recruitment process that reduces the risk of employing people unsuitable to take on a position or who could potentially put your business at risk, so you know who is working for you.

The process of getting BS7799 accredited is not an easy one, and requires a dedicated team, meticulous planning, and a lot of overall company support. Security cannot be treated as a cost centre; it has to be seen as a way of increasing the value of your Information Assets, as well as maintaining trust, without which you can't do business. One sure thing is that you can't be certified for the sake of it, or go through the motions and pass out the policy booklets. If it's not a top-down and all-around philosophy, you probably won't pass the certification process.