The DTI’s 2002 Security Breaches Report found that a staggering 44% of
To date, only about 80
The Seventh Data Protection Principle
The Information Commissioner has even included a question on its annual notification form asking whether a business is ISO17799 compliant. Whether he will take a greater interest in those not compliant is unclear.
The Seventh Data Protection Principle of the Data Protection Act 1998 requires that a business (ie a data controller) processing personal data (ie information relating to an identifiable living individual) should ensure a level of security appropriate to:
· the harm that might occur from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
· the nature of the data to be protected.
The data controller should also take reasonable steps to ensure the reliability of all employees who have access to such personal data and that, where the data controller has sub-contracted or outsourced its data processing obligations to a third party (ie a data processor), such processing only takes place under a written contract.
The data processor must give the data controller sufficient warranties and indemnities in respect of its technical and organisational security measures.
If security lapses by the data processor lead to the loss of personal data, the data controller will be held liable for fines and damages and should therefore audit the data processor’s security measures regularly and, ideally, require that the processor can demonstrate ISO177999 compliance.
Liability for loss of IP rights and confidential Information
Loss of business assets, such as IP rights and confidential information, may occur too if there is a breach in security. Therefore encryption should be seen as an essential business tool when protecting a business’s most vital assets if confidential information is sent over the Internet. Yet surprisingly few companies make use of encryption in the
Turnbull Report
Since the
In view of the corporate governance requirements under the Turnbull Report, CEOs should not be leaving IT security in the hands of the IT department alone.
Key principles of ISO17799
ISO17799 is an entry-level good practice framework for information security. It identifies key issues relating to:
§ organisational security
§ asset classification and control
§ personnel security
§ physical and environmental security
§ access control
§ mobile computing
§ teleworking.
All security procedures and responsibilities should be clearly identified in a staff security manual. Staff should undergo security checks upon joining a company and should continually be made aware of relevant security issues. Common sense security measures, such as locking doors and marking IT equipment with security ID, are the norm and will be expected by a business’s insurers.
Achieving ISO17799 accreditation
ISO17799 registration involves devising a workable information security management framework set out in BS7799-2, the second part of ISO17799. In 2002, the Organisation for Economic Co-operation and Development (OECD) published Guidelines for the Security of Information Systems and Networks, and BS7799-2 was revised accordingly and is now known as BS7799-2: 2002.
Businesses must adhere to the measures specified in BS7799-2: 2002 in order to achieve accreditation. To do this, they must complete four steps, identified in BS7799-2: 2002 as the “Plan, Do, Check and Act” requirements:
Step1: Undertake a business risk analysis
· define the scope of the information security management system;
· define an information security management system policy;
· identify the risks that are faced by the business; and
· select control objectives.
Step 2: Internal controls are needed to manage the identified risks
· implement the risk treatment plan;
· change the culture of employees; and
· institute physical security measures.
Step 3: Regular and robust management reviews to assess effectiveness of security measures
· start monitoring procedures;
· conduct regular internal reviews and audits; and
· evaluate any residual risks.
Step 4: Take necessary action to adjust the security measures
· identify improvements;
· take appropriate corrective and preventative measures; and
· communicate the results to interested parties.
Key documents produced during this process outlining security controls and procedures will be used by the external auditor to award full ISO17799 accreditation, although he or she may make further recommendations with which a business will need to comply before it is granted.
Once obtained, regular audit visits will be carried out throughout the three-year period for which accreditation is valid.
Conclusion
The global standardisation of security measures, combined with the benchmarking proposed by the OECD Guidelines and ISO17799, means that ISO17799 accredited businesses will find themselves at a clear advantage both at home and abroad. Businesses possessing the internationally recognised ISO17799 accreditation could well gain the edge in competitive tendering. An accredited company is also likely to win favour with its customers, shareholders and insurers.
It is these kinds of commercial advantages that the DTI should now be pushing in its bid to sell the benefits of ISO17799 accreditation to more
