There are many different standards and acts we are asked to be compliant with -- Sarbanes Oxley, BS 7799/ISO 17799 and the Data Protection Act to name but three. But how can you enforce compliance on your users?
There are two main factors that are forcing IT users onto the compliancy trail. Regulatory compliance as new acts of parliament are brought into force and industry compliance to satisfy our trading partners and clients. Once an organization starts down the road of compliance, the inevitable takes place. There is a review of the current state of affairs quickly followed by a document or more likely a manual on how the organization will deliver on and audit the issues addressed from this point on. Now if this new freshly bound manual is not to gather dust and just become a useful bookend on the top shelf, the rules that it espouses will need to be adhered to and audited from time to time. Indeed they will also need to be reviewed and amended, to be kept current. The problem is that keeping everyone playing by these new rules can be an arduous task.Why the need anyway?
Compliance when spoken of in IT terms usually refers to the protection of data, both its integrity and its security from non-authorised release. Just like any other business asset, information has a value and consequently we should as organizations look at protecting that most valuable of assets. Having a recognised standard to work toward is both desirable and effective. Compliance with a recognized standard will clearly identify to others that you have seriously considered the subject in question. The ISO (International Organization for Standardisation) and the IEC (International Electrotechnical Commission) form the specialised system for world-wide standardisation. Numerous national bodies make up the membership of these organizations developing and publishing internationally recognised standards. Gaining accreditation of BS 7799 or ISO/IEC 17799:2000 is fast becoming the accepted minimal standard for information security.
Companies are demanding that their suppliers and partners become compliant, thereby indicating that they have taken credible steps to implement information security. Why is information security required and what is causing so many organizations to sign up to this standard? Confidentiality, integrity and availability of information are probably the main drivers, which are directly linked to competitive edge, cash flow, profitability, legal compliance, and not least, commercial image.Where to start?
A formal approach to data security sounds like a sensible idea. Well, yes it is, but where does one start? Since BS 7799 was converted into the international standard ISO/IEC 17799:2000, it is fast becoming a prerequisite when implementing information security. This standard or code of practice covers all aspects of IT including such elements as: Security Policy, Organizational Security, Physical and Environmental Security, Systems Development and Maintenance and Business Continuity Management. The standard is divided into twelve main sections, and each section is sub-divided to allow all aspects of this vast subject to be considered.
Investment in information security leading to formal acknowledgement via ISO 17799 accreditation is not to be taken lightly. Notwithstanding the benefits already described above, the challenge for any organization either looking to implement this standard or for those that have already attained accreditation is how to retain the level of control necessary to remain compliant.
The policies you have drawn up to form your IT Security Manual work as a guide, a road map if you will. But on their own they leave too much to chance and interpretation. What is required is some form of enforcement mechanism that will not only keep users on the "straight and narrow" but also audit what has been achieved.Achieving the standard
The desire to meet ISO/IEC 17700:2000 is a very worthy one, the challenge is once an organization achieves this standard how best to maintain it. The policy that you have written will go a long way to helping you, but it is the nature of human beings that they will require more tangible methods of guidance. Security software, which supports your policy document, is a must I believe. Without such a tool in place you are left to the vagaries of human beings. While selecting your software it is worth considering only those products that have subjected themselves to third party accreditation such as Common Criteria (http://csrc.nist.gov/cc/). This should be viewed in the context of what I have been discussing here as a form of compliance.
Ideally this enforcement software will sit quietly in the background not troubling the user unless they try to do something that they should not. At that point, clear and precise messaging should be displayed informing the user of the problem and an audit record should be recorded.
As an added bonus some products in this field offer generic protection from malicious code, viruses, Trojan programs and network worms. They should be seen as a welcome backstop for your chosen anti-virus product. Providing true zero day protection, they can help keep hostile code off of your network.
About the author: Andy Campbell is the Managing Director of Reflex Magnetics Ltd. Further information about Reflex Magnetics can be found at www.reflex-magnetics.com; a white paper on helping to achieve BS7799/ISO17799 compliance can be found at www.reflex-magnetics.co.uk/whitepapers/.
Mr. Campbell will be presenting a paper on De-Perimeterisation (Delivering Secure Data To Users On Demand) within the Technical stream taking place in the Technical room on Tuesday 26th April at 16:15 - 16:45 at Infosecurity Europe 2005, held April 26-28 in the Grand Hall, Olympia, London. For more information, see www.infosec.co.uk.