| |
| Electronics & Telecom Docs |
IHS sells a full selection of standards documents & collections from the industry's top organizations.
To learn more, and for a free quote, please complete the form below. |
|
IT Security Standards Evolve to Meet New Needs
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) recently released ISO/IEC 24762,a new standard offering guidance on the information and communication technologies and services needed for disaster recovery. It is only one of a number of IT security standards offered by the international organizations that are based on work first undertaken by BSI British Standards. Committee Manager Peter Restell and ICT Sector Content Manager David Fatscher of BSI discuss the impact of the BSI standards on IT security and the future of security standards development.
Q: When did BSI first start working on IT security?
Restell: It started in the late 1980s in the UK when the Department of Trade and Industry realized even at that early date how important it would be, that trading and electronic communications would become such an important feature of everyday business. They started to form the actual basis of the standard at that time. What they were aiming at was to try to develop a way by which people could manage and control their IT security. It was very good foresight… they regarded electronic transactions as something that would inevitably come and if UK industry could not provide secure means for transactions, we would start to lose out on trade.
Eventually the standard was finalized after many years of thought and deliberation and was published in 1995 as BS7799. At that time, it was a standard that simply provided a record or dictionary of controls that could be applied and guidance on why you would apply them. The standard started to become recognized internationally as a very important standard, and in 2000, it was revised, taking into account all the technical innovations that had occurred over the five-year period. It became a much more in-depth document with something like 120 controls. And then we started to think, it’s all very well giving guidance, but in many cases, companies were looking for means of proving to their suppliers or customers that they in actual fact practiced what we stated in the standard. So we started to develop a part 2 for the standard—a specification which became BS 7799-2 (the earlier standard now being BS7799-1). It listed requirements based on all the work we put in the guidelines. It contained statements like “you shall” and as soon as you put that sort of statement in, you can actually conduct an audit. The auditor will look to see if you complied with that statement. It’s a risk-based standard.
Q: What do you mean by risk-based?
Restell: The actual strength of the controls you apply depends on your risks and your business. If you were a bank, then you probably would have physical security between the door and where the money is kept. Whereas if you apply the same standards to a relatively small business, then you would not need that same sort of physical control.
Because the standard is risk-based, it’s very flexible, so you can discount controls based on your risk assessment and the actual strength of the control. That’s your business decision. You make it as strong as you like, and if you were being audited, the auditor would not challenge your decision.
Q: How did it become an international standard?
Restell: Both of those standards—BS7799-1 and BS7799-2—it was then decided, would benefit the international community. Even though they were national standards, a lot of countries were using them and were starting to ask us why they couldn’t become international standards. And in 2005, that’s what happened and ISO/IEC 27001 and ISO/IEC 27002 were published.
Q: How are they being used?
Restell: There are just under 5,000 organizations certified using ISO/IEC 27001, and something like 80 different certification bodies issuing those certificates. Japan leads the way with something like 2,500 certificates. India has about 500, the UK has about 400, Taiwan has 180, and China 100.
Q: Why do companies get certified? Is it to demonstrate how secure they are to their customers?
Restell: It’s partially to assure your customer or supplier that you’re treating their information securely.
Fatscher: If a company is about to outsource or procure new services, I think it’s increasingly becoming a prerequisite to demonstrate compliance with the standard… Certainly in the UK in the last six months, information security is very much on everyone’s lips, and there have been a lot of high-profile examples of companies and particularly public bodies losing consumer information. So the whole area of information security is very hot right now.
Restell: Obviously certification is one aspect of this. Five thousand is still a relatively low number, but a lot of companies or government bodies simply use the standard for guidance. Government departments, whilst they aren’t being certified, have internal audits that are strict and stringent, as if a certification body was conducting those audits.
Q: What has been the influence of BSI’s work on security practices?
Restell: It’s helped in many different ways. First of all, it’s made IT departments much more aware of security issues. Then we have a knock-on effect where users of IT equipment are trained and made aware of some of the potential security issues that they face just operating a PC. For example, making users aware of how risky it is to put confidential details onto a laptop and how vulnerable it is to being stolen.
At the end of the day, it’s a management standard. It’s not prescriptive, it doesn’t take people along a particular security route. For example, it doesn’t enforce encryption unless it’s absolutely necessary. But at least it does make organizations look at information and regard it as an asset and then try to give that asset a value. For instance, your company image. If you have an information security breach, sometimes it’s not necessarily the value of the information that’s stolen, it could be the actual knock-on effect that it has to your brand and company image.
Q: What do you think the future of information security standards is going to look like?
Restell: At the moment, it’s still in a growth phase. It’s really starting to look at some specific industries. For instance, it won’t be long before there will be the equivalent of our guidance material, but designed specifically for the telecommunications industry. Also, everything that is being developed by the international committee is being written to provide more detailed information about specific topics that are listed as some of the controls in the original standard. For instance, things like incident management and disaster recovery. They’re covered in the original standard, but now standards are being written which provide more details about those very specialized subjects.
Fatscher: It’s not just about patches, i.e., things that you can put on your systems to make them less vulnerable to attack from the outside. It’s as much about process and people. What surveys have indicated is that companies are as vulnerable if not more vulnerable from sloppy practices as they are from malicious attack via malware, virus, and Trojans. Data can go missing and can be corrupted just because someone clicks a button that they shouldn’t… Part of the buy-in of the standard is that it shouldn’t just be the IT director who says I’ve read that, I understand it. It needs to be something that the whole organization buys into as well.
|