- Email: [email protected]
From the editor
Computers
& Security, 12 (1993) 516-517
Computers & Security
From the Editor Just in case there is anyone out there in the IT security community who feels that there are insufficient standards, codes ofpractice,sets ofcriteria, guidelines, regulations and procedures documents; the UK government
Editor John Meyer Elsevier Advanced Technology Mayfield House 256 Banbury Road Oxford OX2 7DH UK Tel: +44-(0)865-512242
has just added to the list. A Code of Practice for Information Security Management’, has been developed by the UK’s Department of Trade and Industry (DTI) m association with the British Standards Institute (BSI) and a number ofleading British and international companies. The Code, all 108 pages of it, rests upon those three well worn foundation stones of information security confidentiality, integrity and availability and sees as its target audience: “managers and employees who are responsible for initiating, implementing and maintaining information security within their organization”.
Fax: +44-(0)865-310981
Senior Editors John M. Carroll Ronald Paans Charles Cresson Wood
Feature Editors Jack Bologna William J. Caelli, FACS Jerome Lobe1 Belden Menkus Martin Smith Bernard P. Zajac, Jr.
Editor-in-Chief Emeritus Harold Joseph Highland, FIGS Distinguished Professor Emeritus SUNY, 562 Croydon Road Elmont, NY 11003, USA
Publisher Christopher
Lloyd
Marketing Debra Smart
Advertising Sales Tel: +44-(0)865-512242 Fax: +44-(0)865-310981
516
It should be stressed that the DTI’s Code is simply a reference document and that its guidelines are not mandatory, even within the government sector. Its very emergence however, begs the questions: why do we need it, and, what does it hope to achieve? The Code justifies its existence as an attempt to establish a common basis upon which companies can develop, implement and measure effective security management practice. This common basis, ifaccepted and worked towards as a recognized British (and perhaps international) standard, should in turn heighten confidence in inter-company trading, particularly in those aspects of business that require data interchange between a business, its suppliers and customers. Plenty of companies may be able to say: ‘we already have a trusted and comprehensive security policy’, but how many companies can say: ‘we are happy that our trading partners have a trusted and comprehensive security policy’? The Code should come as a welcome baseline for those companies with limited, or no, existing security procedures. The test, as ever with a new set of guidelines, will be for those companies that are content with their existing procedures, to pick up the Code and adopt it’s principals. Having examined the Code in some detail, this would hardly appear to be an arduous task, for as one might expect from a document that has received considerable industry input and is designed for managers and employees alike, the Code adheres to basic IT security principals which are easily achievable and in many cases a matter of common sense. It is the very universality of the principals upheld by the Code that make it worthwhile reading for all organizations. It would be quite an exceptional company that failed to learn somethinghowever small - from the Code. After all, the Code has been derived from the successful procedures of a number oflarge companies, including: The BOC Group, BT, Marks and Spencer, Midland Bank, Nationwide Building Society, Shell International, Shell UK and Unilever. Procedures which have been
0167-4048/93/$6.00
0 1993 Elsevier Science Publishers
Ltd
Computers and Security, Vol. 12, No. 6
The Code is based on a set of ten categories that are in general use by the companies that were involved in drafting the Code. These include: security policy; security organization; assets classification and control; personnel security; physical and environmental security; computer and network management;system access control; system development and maintenance; business contingency planning; and lastly, compliance. These separate categories are further broken down into a comprehensive set of security controls, which are divided into a number of logical groups, each preceded by a summary. Inevitably with a code of practice that seeks to be comprehensive, there are a variety of controls that may well not be applicable to a particular company’s circumstances, although the majority of the Code consists of ‘baseline security controls’ that are recommended for all situations. A small number of these baseline controls are considered to be ‘mandatory requirements’ or ‘fundamental building blocks, these are: information security policy document; allocation of security responsibilities; information security education and training; reporting of security incidents; virus controls; business
I A Codr Services,BSI
-for I+vu~tion
Publicatlonr,Llnford
Seorriry Wood,Mkon
Manapwnr,
PD0003;
Keynec,MK4
contact:
6LE,UK;tel:+44
continuity planning process; control of proprietary copying; safeguarding of company records; compliance with data protection legislation; and, compliance with security policy. The Code is comprehensive, easily understandable,logical, and can be said to be a worthy effort in attempting to create an internationally acceptable baseline for security management. Though it does need to be judged for what it is ‘a code of practice for information security management’. It does not attempt to be a technical panacea, nor to dissect individual security threats. It does answer questions rather than just posing them, though at a managerial rather than a technical level. So where now for the Code? Yes it is just one of many IT security guideline documents. However, it does have a particularly strong pedigree, and it will not just lie down and be ignored, nor should it. Whether it will make the dizzy heights ofan IS0 classification is another matter, though I would suggest that IT security managers can only lose out by not giving it some consideration.
Cmtorncr (0)908
2211166.
517
& Security, 12 (1993) 516-517
Computers & Security
From the Editor Just in case there is anyone out there in the IT security community who feels that there are insufficient standards, codes ofpractice,sets ofcriteria, guidelines, regulations and procedures documents; the UK government
Editor John Meyer Elsevier Advanced Technology Mayfield House 256 Banbury Road Oxford OX2 7DH UK Tel: +44-(0)865-512242
has just added to the list. A Code of Practice for Information Security Management’, has been developed by the UK’s Department of Trade and Industry (DTI) m association with the British Standards Institute (BSI) and a number ofleading British and international companies. The Code, all 108 pages of it, rests upon those three well worn foundation stones of information security confidentiality, integrity and availability and sees as its target audience: “managers and employees who are responsible for initiating, implementing and maintaining information security within their organization”.
Fax: +44-(0)865-310981
Senior Editors John M. Carroll Ronald Paans Charles Cresson Wood
Feature Editors Jack Bologna William J. Caelli, FACS Jerome Lobe1 Belden Menkus Martin Smith Bernard P. Zajac, Jr.
Editor-in-Chief Emeritus Harold Joseph Highland, FIGS Distinguished Professor Emeritus SUNY, 562 Croydon Road Elmont, NY 11003, USA
Publisher Christopher
Lloyd
Marketing Debra Smart
Advertising Sales Tel: +44-(0)865-512242 Fax: +44-(0)865-310981
516
It should be stressed that the DTI’s Code is simply a reference document and that its guidelines are not mandatory, even within the government sector. Its very emergence however, begs the questions: why do we need it, and, what does it hope to achieve? The Code justifies its existence as an attempt to establish a common basis upon which companies can develop, implement and measure effective security management practice. This common basis, ifaccepted and worked towards as a recognized British (and perhaps international) standard, should in turn heighten confidence in inter-company trading, particularly in those aspects of business that require data interchange between a business, its suppliers and customers. Plenty of companies may be able to say: ‘we already have a trusted and comprehensive security policy’, but how many companies can say: ‘we are happy that our trading partners have a trusted and comprehensive security policy’? The Code should come as a welcome baseline for those companies with limited, or no, existing security procedures. The test, as ever with a new set of guidelines, will be for those companies that are content with their existing procedures, to pick up the Code and adopt it’s principals. Having examined the Code in some detail, this would hardly appear to be an arduous task, for as one might expect from a document that has received considerable industry input and is designed for managers and employees alike, the Code adheres to basic IT security principals which are easily achievable and in many cases a matter of common sense. It is the very universality of the principals upheld by the Code that make it worthwhile reading for all organizations. It would be quite an exceptional company that failed to learn somethinghowever small - from the Code. After all, the Code has been derived from the successful procedures of a number oflarge companies, including: The BOC Group, BT, Marks and Spencer, Midland Bank, Nationwide Building Society, Shell International, Shell UK and Unilever. Procedures which have been
0167-4048/93/$6.00
0 1993 Elsevier Science Publishers
Ltd
Computers and Security, Vol. 12, No. 6
The Code is based on a set of ten categories that are in general use by the companies that were involved in drafting the Code. These include: security policy; security organization; assets classification and control; personnel security; physical and environmental security; computer and network management;system access control; system development and maintenance; business contingency planning; and lastly, compliance. These separate categories are further broken down into a comprehensive set of security controls, which are divided into a number of logical groups, each preceded by a summary. Inevitably with a code of practice that seeks to be comprehensive, there are a variety of controls that may well not be applicable to a particular company’s circumstances, although the majority of the Code consists of ‘baseline security controls’ that are recommended for all situations. A small number of these baseline controls are considered to be ‘mandatory requirements’ or ‘fundamental building blocks, these are: information security policy document; allocation of security responsibilities; information security education and training; reporting of security incidents; virus controls; business
I A Codr Services,BSI
-for I+vu~tion
Publicatlonr,Llnford
Seorriry Wood,Mkon
Manapwnr,
PD0003;
Keynec,MK4
contact:
6LE,UK;tel:+44
continuity planning process; control of proprietary copying; safeguarding of company records; compliance with data protection legislation; and, compliance with security policy. The Code is comprehensive, easily understandable,logical, and can be said to be a worthy effort in attempting to create an internationally acceptable baseline for security management. Though it does need to be judged for what it is ‘a code of practice for information security management’. It does not attempt to be a technical panacea, nor to dissect individual security threats. It does answer questions rather than just posing them, though at a managerial rather than a technical level. So where now for the Code? Yes it is just one of many IT security guideline documents. However, it does have a particularly strong pedigree, and it will not just lie down and be ignored, nor should it. Whether it will make the dizzy heights ofan IS0 classification is another matter, though I would suggest that IT security managers can only lose out by not giving it some consideration.
Cmtorncr (0)908
2211166.
517