Using Standardized IT Security as a Competitive Advantage

How secure is your company’s information? You only need to open the paper or read a magazine to realize how easy it is for a company’s computer system to be broken into by hackers. It seems like every week some company reports that hundreds, if not thousands, of people have had their personal information stolen because of a breech in security. So how can a company assure its customers that it is doing all it can to protect its information?

"One way a company can help increase its information security is by implementing a standard that creates recognized best practices that have been identified and established internationally," says Willibert Fabritius, a lead auditor with TUV Rheinland of North America, a company that performs numerous ISO system assessments. "There are actually two standards that companies can implement that can help with IT and information security: ISO 17799 and British standard BS 7799-2. BS 7799-2 is an information security management system (ISMS) which uses the same improvement philosophies as ISO 9001 to help achieve continual improvement and effective management of information security. BS 7799-2 emphasizes the risk management process, which affects all areas of a business. The ISO 17799 standard creates a code of practice for information security management. When the two standards are combined, a company has a great platform from which to create a secure IT system."

ISO 17799 identifies that organizations and their networks and information systems are increasingly faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and grow ever more sophisticated. And since companies so heavily depend upon their information systems, this means they have increased vulnerability to security threats. ISO also notes that the trend to distributed computing has weakened the effectiveness of central, specialist control.

Fabritius says there are many reasons why a company should consider implementing ISO 17799 and BS 7799-2, but two reasons stand out. The first is purely a sales and marketing benefit. By achieving such a standard, the company can tout its security when marketing its services. "It would be a huge disaster if eBay’s database was stolen. Imagine all of that credit card information on the black market," he says. "But if eBay could tell its customers that it has an independent certification proving the security of its database, it might be able to persuade more users to use its online auction services. As companies become more familiar with ISO 17799 and BS 7799-2, we’ll see it become a bigger factor in whether or not a company gets business from consumers or other businesses."

The second reason Fabritius says the certifications will gain in popularity is because they help management gain confidence in the company’s internal systems. "In most companies you have the IT staff speaking a different language than the C-Level managers," he says. "An Information Security Management System requires that the IT department log all incidences of virus attacks, firewall breaks and other problems, but does the CEO really understand all of that jargon? In today’s world with regulations like Sarbanes-Oxley, company executives need to know that their systems are up to snuff. Having the ISO and BS certifications can go a long way in helping the C-Level staff sleep better at night."

Another benefit of the standards is that they are not solely focused on information that is only found on computers. Fabritius says that too many companies think only in terms of IT information security, when they should realize that all of their information is important and needs to be protected, not just the data stored on hard drives.

"We tend to think that information security is limited to IT, but once a company starts implementing the ISO and BS standards it quickly realizes that there are many forms of information," says Fabritius. "For example, if an employee is riding in a taxi and is on a cell phone speaking discussing important company data, how safe is that employee being? If the person is in a car they are pretty safe, but what if they were doing the same thing while sitting in an airport lounge or at Starbucks? This isn’t a very secure setting. When implementing ISO 17799 or BS 7799, these types of situations are addressed because the standards say that it’s just as vital that a company keep this type of information secure."

And despite what you may think, chances are there are holes in your information security. Twenty years ago, you only needed one person to run an IT department. But now most computer systems are so complex that the average IT manager cannot manage the system on their own. They may have to hire various experts in certain programs to come in and maintain systems and check for security leaks, but how much does the company know about these outside experts? This is why the ISO and BS standards set up a screening process for outside vendors. The goal is to implement systems that allow management and customers to have a high level of confidence that the company’s information systems are as secure as possible.

Fabritius suggests companies consider doing a risk analysis to see how porous their information systems are. It’s important to remember that the various divisions of a company may require different levels of security. For example a marketing division would have confidential information about the company, but that information would require less security than the information stored in the accounting division. As part of the ISO/BS audit, companies determine what levels of security and what countermeasures (firewalls, encryption, etc.) are appropriate. Hard drives in the accounting department may be encoded or use several levels of password or fingerprint protection, but the marketing department information firm may just use simple password controls.

And once a company becomes BS 7799 certified, it must continue to keep a focus on its information security systems. "This includes on-going monitoring of systems and procedures and could include more advanced tests such as hiring outside hackers to attempt to hijack your company’s systems," says Fabritius. "TUV Rheinland works with some of our clients using our professional hackers to see how well a company’s security systems are working. Because technology is constantly changing, what may be working today to protect your company may not work tomorrow. Companies need be diligent to ensure that their security systems keep up to date."

But no matter how you slice it, Fabritius sees ISO 17799 and BS 7799 becoming the new "must haves" in the near future for businesses. "Just like ISO 9001 certification of an organization’s quality management system has become a requirement for many industries, I think the certification of the organization’s ISMS will become a necessity for businesses over the next few years, especially those businesses that deal in lots of confidential information. Information privacy has become a huge issue and every time another story comes out about a company that has had its database hacked, the concern level ratchets up in the public marketplace. As time goes by, consumers and companies will be further scrutinizing how companies handle their information and will start to migrate business to those companies that are proactive about ensuring security. By becoming registered in ISO 17799 and BS 7799, a company can put itself on the cutting edge of quality control for IT security, show that it has independent verification of its quality of information security, and give itself a leg up on the competition."

Vulnerability of telephone and network terminators to falling water: Many disasters involve water getting in the building, yet most telephone and networking central controls are not shielded from the sprinklers or from water coming down the wall or the cables to the rack. When hit by water, they burn out.
Employees personal life situations that limit emergency response: Key employees are often required to locate to a computer hot site in an emergency. Single parents, employees caring for ill relatives, and those relying on public transportation may have severe limitations here. Find these out in advance and plan around them, relocating the hot site or assigning other staff to cover.
The company's priority to utility companies and vendors: Many planners mistakenly assume that because of the nature of their organization (bank, nursing home, etc.), the utility companies and vendors will assign them a high priority in recovery operations. During the 2004 hurricane devastation in Florida, many nursing home operators, among others, found out otherwise.
Back-up vendors for key support services: When a large-scale disaster strikes, vendors of commonly needed items, such as generators or services such as pumping out flooded basements, become overwhelmed. Anticipate this and locate second-source vendors outside the region.
Accessibility of checks and purchase orders: The two most important documents in any disaster are the company checks and purchase orders. A damaged customized check printer may take a week or more to replace. A supply of preprinted checks and purchase orders must be kept off-site; ready to purchase critical equipment and supplies.
Exits requiring keys: In older buildings or institutions open to the public, keys are sometimes needed to exit certain doors. For everyone's safety, every exit door needs to be operable from the inside without a key.
The needs of outside emergency organizations: Remote sites may be forgotten in emergency planning. As part of their periodic disaster plan review, planners should confirm that the fire and police departments covering these locations have up-to-date contact information, and that the fire department has a set of building plans.

A list of 20 items is available via the Edwards Information Web site. The Web site also has resources for companies that have not yet begun their planning. The Edwards Information Disaster Recovery Yellow Pages itself is a great compilation of hard-to-find resources, with more than 3000 listings in 355 categories.

About the Author
Steven Lewis, Ph.D., CISA, CCP, is founder of the Edwards Information Disaster Recovery Yellow Pages directory, and a nationally-known business continuity expert. He has spoken and written on the field for 20 years. The directory came out of his work in developing more than 120 comprehensive business continuity plans for network-based organizations.