This article was published to coincide with the release of BS7799 - Information
Security Management by the British Standards Institution back in 1994.
It reviews the standard and discusses its relevance and benefits for Jersey
businesses. Readers should note that developments including the update
to the standard in 1999 are not reflected in this article but the fundamental
points made remain relevant.
Ask any experienced manager and the chances are he will know of businesses
that have suffered significant losses through:
- corruption or loss of data;
- systems being down when they are needed; or
- loss of confidentiality
These are the unwelcome side effects of dramatic increases in dependence
on information systems. The discipline which deals with these business
risks is Information Security Management. Experience shows that managers
who fail to manage these risks are gambling with the continuing existence
of their business. Like the National Lottery, the odds of not losing are
long. Fortunately for overworked managers, guidance is available. Despite
some criticism from the computer industry, BS7799 (which has been based
on practical controls used in larger companies) provides a helpful starting
point. These articles look at some practical aspects of applying BS7799
in the context of Jersey businesses.
Structure of BS7799
The Standard contains an introduction and ten sections dealing with each
component of security. The introduction emphasizes that security requirements
- security risks and their potential business consequences;
relevant regulatory and contractual requirements (e.g. trading partners,
- contractors and service providers); and
information processing requirements (security controls must not obstruct
- efficient business operations).
The Standard explains that security risks need to be assessed in terms
of the harm to the business that could result from loss, corruption, unavailability
or breach of confidentiality of information. BS7799 does not, however,
provide detailed guidance on any particular method for making that assessment.
Finally, a number of critical success factors are suggested including
the need for support and commitment from top management, understanding
of business objectives and security risks.
The bulk of the BS7799 is made up of the ten control sections. Fundamental
controls are labelled "key" as a starting point for implementing
information security. Most remaining controls are "baseline security
controls" that is, accepted good practices appropriate to all situations.
The Standard explicitly acknowledges that in some cases, further controls
will be required. This is especially significant for local Financial Services
Firms where the predominance of financial assets and emphasis on client
confidentiality demand significantly stronger controls. Each category
has aspects which require special consideration in the local context.
Information Assets are protected by controls built on a foundation of
policy & organisation
1 - Security policy
A clear statement of policy underpins security management. Local businesses
typically communicate policies without the formality found in larger organisations.
However communicated, policy must be clear and management must be seen
to unequivocally endorse information security.
2 - Security organisation
How do you organise security? In short, by specifying who is responsible
for what. This sound advice is a foundation to all effective management.
Independent specialist advice is also recommended by BS7799. This will
be especially appropriate for local businesses which cannot justify employing
a security specialist and for subsidiaries who find group resources do
not provide the necessary support.
3 - Asset classification and controls
Classification deals with ownership of assets, including information.
Treating information as an asset makes it obvious that it must be protected
like any other. Even today, some sophisticated businesses in the Island
do not identify owners for information assets. If nobody is accountable
for the information, chances are it will not be complete, accurate, available
when needed, or kept confidential.
4 - Personnel security
In contrast to popular images, security breaches typically occur through
individuals rather than technical weaknesses. Effective personnel measures
are essential. This includes defining security responsibilities, providing
adequate training and enforcing discipline. Businesses in the Island typically
have fewer employees and thus limited opportunity for division of duties.
This creates exceptional dependence on the integrity of key individuals.
Recruitment screening and subsequent monitoring controls can help, especially
for employees in sensitive positions, but are easily overlooked. Does
your business use these measures effectively?
5- Physical and environmental security
Physical security is an obvious area to prevent attack or accident. Important
aspects which are sometimes missed include protecting cabling from accidental
damage and procedures to effectively erase data from equipment being disposed
6 - Computer and network management
Widespread use of networks amongst local businesses creates a number
of vulnerabilities. For example, operational procedures and responsibilities
are sometimes not documented. As a result the business becomes excessively
reliant on the knowledge of particular skilled individuals. Similarly,
systems planning is needed to prevent the business being brought to its
knees by unexpected capacity and resource problems. The technical environments
operated by businesses in the Island are often complex. A rigorous and
disciplined approach is needed but not always evident.
Virus controls are a particular hazard. Virus programs are increasingly
sophisticated and difficult to detect. Many island homes have PCs and
connections to the Internet. Many businesses are on the verge of electronically
sharing files. These factors increase opportunities for virus propagation.
Not surprisingly, virus control is identified as a key in the Standard.
Finally, Electronic Data Interchange is especially sensitive for Jersey
businesses using electronic fund transfer services such as SWIFT, Euroclear
or CHAPS. These are inherently susceptible to serious abuse. Are you confident
that your controls are adequate?
7 - System access control
Access controls included in BS7799 will be familiar to most managers.
Password techniques are commonly used to check the identity of the user.
Users should be uniquely identified and held accountable based on logging
of their actions.
It is important to distinguish "end users, who generally will
be restricted to particular applications and functions within those applications,
and "special" cases such as Information Systems personnel. The
latter need access to privileges and utilities. Whilst all access should
be on a need to use basis, attention should be focused on
utilities and privileges as some of these by-pass other controls. Even
in simple environments, administration of access control requires sound
technical understanding. In many local businesses senior IT staff will
control access. This creates a conflict since the same staff also typically
use the utilities and privileges which by-pass other controls. Are you
sure your IT manager cant change the payee details on the electronic
payments file being transmitted to the bank? Independent review can be
a cost effective answer to this dilemma. For businesses wishing to do
it themselves, help with understanding the technical aspects and by-pass
risks is available from the Information Systems Audit and Control Association
bookstore amongst other sources.
8 - System development and maintenance
All businesses will benefit from considering security when developing
and maintaining applications. This will be particularly relevant to local
organisations who have identified opportunities to redesign their processes
to exploit automation and eliminate manual procedures. This usually eliminates
paper records and can be enabled by new technologies such as workflow
management, document image processing, EDI, etc. Managers are sometimes
wary of this transition. However, if you understand the possibilities
that the new technologies offer, automated processes can produce substantial
savings and provide better, more effective controls.
Related to this, the integrity of live applications depends on software
quality assurance, including rigorous testing, documentation and enforcement
of appropriate standards. This is clearly relevant for large businesses
which develop their own applications. But local businesses often use packages
which are customised or are not in common use, or develop applications
using sophisticated software such as PC database management systems or
spreadsheets. Many of the costs are hidden. How many applications have
been abandoned because the person who developed them is no longer around
to provide support? How much time is lost sorting out or correcting bug
ridden, rickety applications? If these costs were foreseen would outsourcing
have been a better strategy?
These costs can be avoided. Unlike the larger company, local users typically
shoulder the responsibility for analysing, designing and testing complex
applications or custom enhancements. These users do not have the advantage
of the training, methodologies and experience of the Information Systems
professional. The challenge should not be underestimated. Investing in
up front planning and focused professional support for project management
and quality assurance will have a significant payback.
9 - Business Continuity Planning
Statistics show that businesses of the size found in Jersey are less
likely to have adequately addressed business continuity planning. The
baseline measures in the Standard provide a valuable, if brief, framework
for this area. As with other areas of security, primary responsibility
rests with management to ensure that key requirements are understood and
suitable procedures are put in place and tested. Is your plan like that
of one local business who only found out when disaster struck that their
back up routine was ineffective? All their data was lost. The message
is simple, a plan which is not tested is worthless.
10 - Compliance
The final section of BS7799 deals with compliance matters. Legal issues
include control over software copying, and the requirements of, in Jerseys
case, the Data Protection (Jersey) Law 1987, the Computer Misuse (Jersey)
Law (currently with Privy Council). Banks will, in addition need to consider
the requirements of the Banking Business (Jersey) Law 1991
This article has discussed features of BS7799 as a starting point for
managing security in a local organisation. These are widely recognised
good practices, subsidiaries will find that the controls suggested in
the Standard resemble group policy statements. However, controls must
be intelligently applied in the local context. If security management
has not yet been effectively addressed in your business, a good place
to begin is by building awareness amongst senior management. Their backing
will be gained once the business case for security is convincingly demonstrated.
Once senior management sponsorship is confirmed, the actual threats and
vulnerabilities of the business can be established. Do this by drawing
on the insights and experience of relevant managers. This way, real business
priorities will be confirmed and wider commitment generated.
Building on this foundation the introduction of the baseline measures
suggest by BS7799 together with any specific control responsive to your
business risks will be a success. A well conceived and disciplined approach
will ensure that security management saves you money. At the end of the
day, Information Security must be approached as a bottom line business
issue like any other.