BS7799 – Why is it important?

April 30, 1998

As information security is increasingly on the business agenda, we have increased involvement with the legal profession as we help people either improve their information security or deal with the consequences of inadequate provision.

Whatever kind of organisation we deal with, one common thread is that we see very little in the way of addressing the possible legal consequences of not taking appropriate measures to protect sensitive information.

For example, ask yourself what you would do in these situations:

· client is hacked from your network by an employee

· virus/worm spreads from you to a Client

· competitor accuses you of stealing their information

· member of staff ‘helps’ you by creating a denial of service attack against a competitor

· your systems are targeted for attack by political activists

· hacking group ‘supports’ an ex-employee.

Increased reliance on IT leads to greater potential of claims for information security breaches, whether from employees, clients, or business partners.

The Data Protection Act, and principle seven in particular, places a responsibility on you to keep your data secure. Liability clearly resides with senior executives to ensure that appropriate information security countermeasures are in place. But how can you judge security? Are the IT team really as good as they say? Or, more importantly, are they presenting the highest risks due to their own use of IT and disregard for the organisation’s best interests. On quite a few occasions we are called in to “help us keep out” the IT employee that has just been dismissed.

The one standard that organisations are increasingly turning to is BS7799 (and its ISO equivalent ISO17799). This standard effectively covers the broader organisational issues surrounding establishing and maintaining an appropriate information security management system (ISMS), covering areas such as:

· policy

· asset classification

· network security

· new system development

· business Continuity

· legal compliance.

All countermeasures used to deliver the ISMS are based on a risk assessment, to ensure that any investment is appropriate for the business activities and treatment of risk.

In addition to the obvious benefits of improving information security, the BS7799 standard provides the perfect vehicle for demonstrating effective corporate governance. Weight was added to the assertion with the statement by the Information Commissioner that BS7799 is sufficient to satisfy the requirements of principle seven of the DPA.

The legal side of information security is often even more involved than the technical side (although we see enough people struggle with technical countermeasures). How many organisations have really looked at how they should address the complexities of:

· the Drug Trafficking Act 1994

· the Data Protection Act 1998

· the Human Rights Act 1998

· the Regulation of Investigatory Powers Act 2000

· the Terrorism Act 2000

· the Anti Terrorism Crime & Security Act 2001

· the Proceeds of Crime Act 2002.

Many observers assume that as IT security specialists we are fighting a global hacking battle against political activists targeting UK companies. Although we have helped organisations recover from such attacks, an increasing area of our work is surrounding action against staff, usually for Internet and e-mail abuse.

Employers often need help with the gathering of data and its analysis to show misuse. However, in our experience, employers often have more difficulties with establishing policies and procedures before an incident and then following the correct process in dealing with the employee.

The employee, on occasion, will seek our help to:

· demonstrate system weaknesses

· show possible, alternative causes

· highlight security shortcomings.

Although BS7799 can provide an effective framework for improvements, it still presents a specific challenge for organisations, particularly the:

· technical complexity of many IT solutions

· Human Resource management working with the IT team

· Senior Management Control of an area in which they have very little expertise (how many Chief Information Officers do you know?)

· Risk Assessment in an area characterised by low probability, high impact scenarios and very little valid data to base decision-making on.

So when might you meet the BS7799 standard? Perhaps when you are writing that next tender for a large organisation or public sector body. Yes, even solicitors need to keep information secure!

Or perhaps your clients will have to gain certification to address the concerns of their clients.

The BS7799 standard offers an ideal way to treat risk during the negotiation of IT-based contracts, complementing the usual:

· service level agreements/service credits

· warranties as to security performance, which will not be absolute

· obligations to give full disclosure of breach

· indemnities against claims/losses attributable to breach of warranty

· limitation of liability

· rights to terminate/disaster recovery.

Also, if things do go terribly wrong and you want to deploy your heavy artillery, your application for search & seizure orders (Anton Pillar) or freezing orders (Mareva) could be greatly enhanced by the ability to demonstrate credible evidence derived from your BS7799 – based monitoring and data analysis.

Ian Mann MBA BEng CCSP is the founder and Senior Consultant with ECSC. In addition to his work with BS7799, he holds the CLAS accreditation with CESG (part of GCHQ) and has security clearance. He is also a certified Cisco network security specialist. Ian can be contacted on 01274 736223 or ian.mann@ecsc.co.uk