This article was published to coincide with the release of BS7799 - Information Security Management by the British Standards Institution in 1994. It reviews the standard and discusses its relevance and benefits for Jersey businesses. Readers should note that developments including the update to the standard in 1999 are not reflected in this article but the fundamental points made remain relevant.

Introduction

Ask any experienced manager and the chances are he will know of businesses that have suffered significant losses through:

• corruption or loss of data;
• systems being down when they are needed; or
• loss of confidentiality

These are the unwelcome side effects of dramatic increases in dependence on information systems. The discipline which deals with these business risks is Information Security Management. Experience shows that managers who fail to manage these risks are gambling with the continuing existence of their business. Like the National Lottery, the odds of not losing are long. Fortunately for overworked managers, guidance is available. Despite some criticism from the computer industry, BS7799 (which has been based on practical controls used in larger companies) provides a helpful starting point. These articles look at some practical aspects of applying BS7799 in the context of Jersey businesses.

Structure of BS7799

The Standard contains an introduction and ten sections dealing with each component of security. The introduction emphasizes that security requirements stem from:

• security risks and their potential business consequences;
relevant regulatory and contractual requirements (e.g. trading partners,
• contractors and service providers); and
information processing requirements (security controls must not obstruct
• efficient business operations).

The Standard explains that security risks need to be assessed in terms of the harm to the business that could result from loss, corruption, unavailability or breach of confidentiality of information. BS7799 does not, however, provide detailed guidance on any particular method for making that assessment.

Finally, a number of critical success factors are suggested including the need for support and commitment from top management, understanding of business objectives and security risks.

The bulk of the BS7799 is made up of the ten control sections. Fundamental controls are labelled "key" as a starting point for implementing information security. Most remaining controls are "baseline security controls" that is, accepted good practices appropriate to all situations. The Standard explicitly acknowledges that in some cases, further controls will be required. This is especially significant for local Financial Services Firms where the predominance of financial assets and emphasis on client confidentiality demand significantly stronger controls. Each category has aspects which require special consideration in the local context.

Information Assets are protected by controls built on a foundation of policy & organisation

1 - Security policy

A clear statement of policy underpins security management. Local businesses typically communicate policies without the formality found in larger organisations. However communicated, policy must be clear and management must be seen to unequivocally endorse information security.

2 - Security organisation

How do you organise security? In short, by specifying who is responsible for what. This sound advice is a foundation to all effective management. Independent specialist advice is also recommended by BS7799. This will be especially appropriate for local businesses which cannot justify employing a security specialist and for subsidiaries who find group resources do not provide the necessary support.

3 - Asset classification and controls

Classification deals with ownership of assets, including information. Treating information as an asset makes it obvious that it must be protected like any other. Even today, some sophisticated businesses in the Island do not identify owners for information assets. If nobody is accountable for the information, chances are it will not be complete, accurate, available when needed, or kept confidential.

4 - Personnel security

In contrast to popular images, security breaches typically occur through individuals rather than technical weaknesses. Effective personnel measures are essential. This includes defining security responsibilities, providing adequate training and enforcing discipline. Businesses in the Island typically have fewer employees and thus limited opportunity for division of duties. This creates exceptional dependence on the integrity of key individuals. Recruitment screening and subsequent monitoring controls can help, especially for employees in sensitive positions, but are easily overlooked. Does your business use these measures effectively?

5- Physical and environmental security

Physical security is an obvious area to prevent attack or accident. Important aspects which are sometimes missed include protecting cabling from accidental damage and procedures to effectively erase data from equipment being disposed of.

6 - Computer and network management

Widespread use of networks amongst local businesses creates a number of vulnerabilities. For example, operational procedures and responsibilities are sometimes not documented. As a result the business becomes excessively reliant on the knowledge of particular skilled individuals. Similarly, systems planning is needed to prevent the business being brought to its knees by unexpected capacity and resource problems. The technical environments operated by businesses in the Island are often complex. A rigorous and disciplined approach is needed but not always evident.

Virus controls are a particular hazard. Virus programs are increasingly sophisticated and difficult to detect. Many island homes have PCs and connections to the Internet. Many businesses are on the verge of electronically sharing files. These factors increase opportunities for virus propagation. Not surprisingly, virus control is identified as a key in the Standard.

Finally, Electronic Data Interchange is especially sensitive for Jersey businesses using electronic fund transfer services such as SWIFT, Euroclear or CHAPS. These are inherently susceptible to serious abuse. Are you confident that your controls are adequate?

7 - System access control

Access controls included in BS7799 will be familiar to most managers. Password techniques are commonly used to check the identity of the user. Users should be uniquely identified and held accountable based on logging of their actions.

It is important to distinguish "end users”, who generally will be restricted to particular applications and functions within those applications, and "special" cases such as Information Systems personnel. The latter need access to privileges and utilities. Whilst all access should be on a “need to use” basis, attention should be focused on utilities and privileges as some of these by-pass other controls. Even in simple environments, administration of access control requires sound technical understanding. In many local businesses senior IT staff will control access. This creates a conflict since the same staff also typically use the utilities and privileges which by-pass other controls. Are you sure your IT manager can’t change the payee details on the electronic payments file being transmitted to the bank? Independent review can be a cost effective answer to this dilemma. For businesses wishing to do it themselves, help with understanding the technical aspects and by-pass risks is available from the Information Systems Audit and Control Association bookstore amongst other sources.

8 - System development and maintenance

All businesses will benefit from considering security when developing and maintaining applications. This will be particularly relevant to local organisations who have identified opportunities to redesign their processes to exploit automation and eliminate manual procedures. This usually eliminates paper records and can be enabled by new technologies such as workflow management, document image processing, EDI, etc. Managers are sometimes wary of this transition. However, if you understand the possibilities that the new technologies offer, automated processes can produce substantial savings and provide better, more effective controls.

Related to this, the integrity of live applications depends on software quality assurance, including rigorous testing, documentation and enforcement of appropriate standards. This is clearly relevant for large businesses which develop their own applications. But local businesses often use packages which are customised or are not in common use, or develop applications using sophisticated software such as PC database management systems or spreadsheets. Many of the costs are hidden. How many applications have been abandoned because the person who developed them is no longer around to provide support? How much time is lost sorting out or correcting bug ridden, rickety applications? If these costs were foreseen would outsourcing have been a better strategy?

These costs can be avoided. Unlike the larger company, local users typically shoulder the responsibility for analysing, designing and testing complex applications or custom enhancements. These users do not have the advantage of the training, methodologies and experience of the Information Systems professional. The challenge should not be underestimated. Investing in up front planning and focused professional support for project management and quality assurance will have a significant payback.

9 - Business Continuity Planning

Statistics show that businesses of the size found in Jersey are less likely to have adequately addressed business continuity planning. The baseline measures in the Standard provide a valuable, if brief, framework for this area. As with other areas of security, primary responsibility rests with management to ensure that key requirements are understood and suitable procedures are put in place and tested. Is your plan like that of one local business who only found out when disaster struck that their back up routine was ineffective? All their data was lost. The message is simple, a plan which is not tested is worthless.

10 - Compliance

The final section of BS7799 deals with compliance matters. Legal issues include control over software copying, and the requirements of, in Jersey’s case, the Data Protection (Jersey) Law 1987, the Computer Misuse (Jersey) Law (currently with Privy Council). Banks will, in addition need to consider the requirements of the Banking Business (Jersey) Law 1991

Getting started

This article has discussed features of BS7799 as a starting point for managing security in a local organisation. These are widely recognised good practices, subsidiaries will find that the controls suggested in the Standard resemble group policy statements. However, controls must be intelligently applied in the local context. If security management has not yet been effectively addressed in your business, a good place to begin is by building awareness amongst senior management. Their backing will be gained once the business case for security is convincingly demonstrated.

Once senior management sponsorship is confirmed, the actual threats and vulnerabilities of the business can be established. Do this by drawing on the insights and experience of relevant managers. This way, real business priorities will be confirmed and wider commitment generated.

Building on this foundation the introduction of the baseline measures suggest by BS7799 together with any specific control responsive to your business risks will be a success. A well conceived and disciplined approach will ensure that security management saves you money. At the end of the day, Information Security must be approached as a bottom line business issue like any other.