Secure IT

Information: on the agenda?

Information security policies right around the globe are being driven by compliance requirements in the form of new legislation and much tighter industry regulations. Companies are now beginning to grapple with the increasing amount of laws and policies that demand fully-secure data and IT systems at all times. Yet many of those same policies fail to specify exactly what is meant by ‘secure data and IT systems’, and the measures that ought to be put in place.

Such confusing regulatory requirements mean that some companies may be overlooking dangers elsewhere as they bid for compliance. An organisation could be totally compliant but not secure, or it may be totally secure but remain non-compliant.

The basic problem lies in the fact that it is far from clear what these IT compliance requirements mean in terms of IT security. Following the Enron and WorldCom scandals, it would appear that part of the motivation lies in keeping company directors out of prison while avoiding hefty fines being levied on the host organisations themselves (‘Pull your SOX up’, SMT, August 2005,).

In the UK, we appear to be more complacent in respect of legislation. Our Government noticeably lags behind its US counterpart. Admittedly, thus far we have been spared the type of high profile scandal that prompted Sarbanes-Oxley, but that shouldn’t prevent our Government from taking action. We need legislation in place, such that people are forced to take security seriously.

We do possess guidelines like ISO 27001, but UK organisations and those operating here must realise that they need to invest more in information security management.

Let’s be clear, too, that this should not be an isolated, one-off exercise that happens under the auspices of the IT Department, but rather it should be an ongoing activity demanding the full backing of the management and the Board.

Impact on the business

Security isn’t just about achieving compliance or demonstrating Best Practice. It can have a monumental impact on the business. In our information economy, the availability, integrity and confidentiality of data are fundamental to long term corporate survival. Today’s technology systems are increasingly sophisticated and complex, meaning that they are potentially vulnerable to a fast-changing range of threats. The tracking and remediation of security breaches is both expensive and highly labour-intensive.

These problems are by no means restricted to Internet or e-commerce businesses – all organisations across all industries, be they public or private, harbour highly confidential information that must be kept safe and sound. Some examples would be customer credit card numbers, health records, intellectual property for new products or established ones, details of financial transactions, customer lists, accountancy records and databases.

The strategic responsibility for ensuring that an organisation defends its assets in an appropriate manner can no longer be the sole preserve of the IT director. Information security is now a senior management, corporate governance-related responsibility and must be taken seriously – regardless of what legislation may or may not be in place in the UK.

Information security is about protection from fraudsters and hackers, yes, but it’s also about human error. The simple act of making a mistake can lead to bad or inadvertent data deletion. The consequences of this can be just as devastating as would be the case with a proper, full-scale ‘attack’.

Information security is a senior management, corporate governance-related responsibility and must be taken seriously – regardless of what legislation may or may not be in place in the UK

According to a recent survey, larger businesses in the UK suffer the consequences of nearly 20 information security incidents every year, at an average cost to the host organisation of £12,000. Explaining that to the Shareholders must be a tough call.

Information security, then, is no longer just an IT problem. Today, it is a corporate issue demanding nothing less than total management backing at all times.

Essential steps to take

Sarbanes-Oxley is good practice forced on companies. It’s great for those organisations whose business is primarily financial. ISO 27001 (BS 7799), though, makes for easier reading. Its guidelines are more appropriate for all industries looking to reduce their risks across all aspects of their business.

A survey of UK companies that had undergone ISO 27001 assessment highlighted the benefits of doing so, including increased customer confidence and improved internal discipline. At the same time, many of these companies are now proactively promoting the fact that their data is safe to both suppliers and customers and that, in turn, this has helped to build trust between all parties.

The most unexpected effect of certification reported by managing directors was a significant increase in business at the expense of non-certified competitors.

To achieve information security compliance, the first essential step is to carry out a risk assessment evaluating the scope of the problem that may exist within the organisation. How many software applications have ‘back doors’ written into them? How many ex-employees still have active network user accounts? How many people in the organisation actually need to have the highest level of access privileges?

The next step is to close any open doors, and put in place access templates based on job function. It’s also important to run regular reports against your defined security policy such that it remains compliant. Also, present proof to the auditors that you are following your own procedures and have a tight control over security. A good security policy does not exist to hinder people in their jobs. It’s there to protect the company and its data.

Policy checks and ‘fixes’

Managing compliance can be a labour intensive process. For instance, a recent Fortune 500 Chief Executive Officer Working Party estimated that, on average, 20,000 staff hours – the equivalent of ten people working full-time for a year – will be required to ensure security compliance for large corporations.

Therefore, running regular risk assessment reports for internal and external audits – as well as carrying out frequent security policy checks and fixes – is best provided by automated software tools than by manual procedures.

Companies who begin to look seriously at compliance issues now are going to reap the benefits. Those that delay and leave it too long will find that appropriate resources are more scarce and, consequently, more expensive. Those that wait for the UK Government to legislate will probably go out of business!