Best Practices: New Standard Helps Companies Prove Their World-Class Security

Interest is growing in a new British Standard—BS7799—that is slowly being adopted outside of Britain; companies adopting the standard may find they've implemented a best-practices security program.

Interest is growing in British Standard 7799 (BS7799), an extremely thorough, risk-assessment-based security standard. To date, almost 200 companies have adopted it—just outside Britain. It's especially popular in the financial services sector.

One of the benefits of BS7799 may be that a company finds it now has a best-practices security program. For other organizations, BS7799 is one way it can demonstrate the quality of its security. When considering BS7799, however, what should companies do to prepare? Or if they’ve decided to take the plunge, what are the next steps? Enterprise Systems spoke with Manoj Kunkalienkar, executive director and president of ICICI Infotech, a global IT products and services provider based in India, about getting BS7799 compliant.

Which industries are especially interested in BS7799 rollouts?

Many, but especially … the financial sector and insurance.

Why are they attracted to BS7799?

Banking is more security conscious nowadays [and]—of course—it’s other people’s money. [Plus] they’re exposed a lot more to outside networking and the Internet. A couple of decades ago, all the transactions were done by bank employees, and from within the network. So you could recreate a scenario of what went wrong. Today, with the Internet, you don’t know what kind of issue is going to hit you, or when, so security becomes much of a requirement.

What about other types of companies?

Looking at the financial—and other companies—together, I’m seeing a lot of back-office players moving toward the BS7799 certification more from the point of view of proving to the client their back-office processing … is secure.

[Also] looking at the banking sector, I’m not seeing it too much focused today on certifying themselves for BS7799, but I am seeing a lot of banks, financial institutions, [and] insurance institutions which are implementing processes which are close to BS7799, but they might not go in for the certification.

Does meeting the requirements mean you can automatically be certified?

There is a slight difference. [Those that get it] want to prove they’re a secure organization. Then … there are the organizations that would like to know they’re secure but they don’t need the certification. They don’t announce on an advertisement that they’re a BS7799 company. They’re more interested in getting the processes that are related to BS7799.

So the BS7799 certification is a useful tool?

It’s quite a useful and quite an elaborate standard at that. The process of BS7799 has all these built-in processes—have you done this, this, [and] this?—and when you start implementing it you realize how hard all of these additional processes can be.

Do you help companies conceptualize their BS7799 rollout?

Not only conceptualization, but we also help in the implementation of processes as well as the technology related to disaster recovery. And it’s not primarily for Indian companies, we … service customers all over the world.

Do companies find BS7799 attractive because it gives them a tangible list of things to do?

Yes, but like all programs, you have to continually make sure it’s there. It’s not a one-time thing. It is work, but it has to be more of a [change of] culture within the organization.

Do many companies find it difficult to effect that cultural change?

Yes, and you require the top set of persons to push it. That’s the only time when people will take it seriously.

What are the first steps a typical company must take to get BS7799 compliant?

You want to set up a road map for your security requirements, that is when we can step in [to] study your requirements—what is critical, what is not. The first thing we ask is, do you know what your critical inventory is? And we help you make an inventory of your critical assets.

Usually it starts with someone saying, "I want to do disaster recovery," and usually they say I can’t have anything down for even a minute. [So] we do a small study for a week’s time, and say, "Okay if everything is critical, this is what it’s going to cost you."

Then … they say, "There must be something wrong here, this is too high," and we say, "Yes, we know, but this is if everything is critical." So we sit down with each business user and ask what is it exactly that this application does, is it okay if it’s down for a few minutes, a day, a week? Then we create a big matrix and say even if this is down for two days, the effect is limited. These [results] are mostly properly heard by the CEO or chief operating officer.

Then we do a due diligence study, and a more detailed road map, in case you want to implement other things, such as an inventory. Most people don’t have an inventory of assets, and … many times, [as a result], companies forget to replicate external dependencies on the Internet, networking, [and] replicated sites.

Then we advise on some of the human issues as well.

So we give them a road map. This is Phase One.

What comes next?

Phase Two is a detailed request for proposal, which is required to source all the services, software, and hardware. We give you a tabulation of how you need to evaluate all the responses that come back from the vendors. Then we will tell the organization, "Okay this solution is the best solution." Then the organization can negotiate the money or whatever is required. Then we go.

What can a company do before it brings in a company such as yours, to facilitate a quick start?

What you need to do, if you can, is a state-of-the-art study of your current processes—what are people doing, for instance, [when it comes to security]. It could be a small study, two to three days, a week, to see where you are. If you feel that where you are is okay, that the amount of money being spent is okay, you don’t need to call me at all. But if you see that the implementations of what you think should be there and what are really there are different, that’s when you need to call me. Because sometimes when an outsider comes in, it’s a lot more palpable than hearing it from the security manager or someone else in the organization.

Related Links:

Best Practices: Staying Ahead of International Regulations
From carrots to sticks, a variety of recent regulations has presented a challenge to security managers. We ask a security expert where U.S. and European regulations are headed.

Tips for Gramm-Leach-Bliley Compliance
Security vendor Symantec offers best practices for staying in compliance with the Gramm-Leach-Bliley Act.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.