FTSE companies demand common security standards

[InfoSec News <isn () c4i org>]

http://www.computerweekly.com/articles/article.asp?liArticleID=126188

by Cliff Saran 
4 November 2003 
 
UK users seize the initiative as suppliers fail to deliver.

Ten FTSE 100 companies have joined forces in an effort to drive home
their IT security concerns to IT suppliers.

The organisations, which include ICI, BP and some of the UK's biggest
banks and financial services companies, along with Royal Mail, are
concerned that suppliers' existing products will not support their
future business strategies, such as B2B web services.

The group, which has emerged over the past year, will present its case
at IT security conferences in a bid to drum up wider support from the
user community.

The group is collaborating on an open standards security architecture
that was originally developed internally by Royal Mail. The
architecture aims to overcome the limitations of current IT security,
where products from rival suppliers are unable to share security
information in a standard way.

Paul Simmonds, global information security director at chemical
manufacturer ICI, said "We have to accept that a network cannot be
kept highly sanitised. We need a more strategic approach to defining
tools and standards than is available today. Traditional network
security has reached the end of its life."

Simmonds, together with David Lacey, director of security and risk
management technology, services and innovation at Royal Mail, will
present the group's position in a debate with Tony Kenyon, head of
security at BT Global Services, at this week's RSA security conference
in Amsterdam.

"Unless the industry can agree on a universal security framework, we
will never be able to exploit the full potential of B2B web services,"  
Lacey told Computer Weekly. "The IT industry needs to classify
security in a consistent way."

Graham Bird of the industry and user forum the Open Group, whose
members include the NHS Information Authority and the Department for
Work and Pensions, is backing the initiative.

Although a business could mandate a set of IT products to achieve a
level of security throughout the company, Bird said, "It is difficult
to control security outside your organisation. It is not possible to
move information in a boundaryless way."

An example of this is the digital rights management technology in
Microsoft Office 2003. An Office 2003 user could control access to a
document but only if recipients of the document were also using Office
2003 digital rights management.

"The industry has to stop making all technology competitive. Suppliers
have to collaborate on standards, and compete on functionality," Bird
said.

Chris Thompson, vice-president for network security products at IT
security company McAfee, said suppliers had to face the challenge of
creating interoperability between security products.

"There is no event correlation between security products. There is no
real industry standard to make this work in real time. To achieve
this, the industry needs to work together," Thompson said.

However, Thompson warned that the industry was at least five years
away from being able to deliver this requirement.

Users have set security agenda >>

Security proposal

The group is calling for:

* A consistent framework across the industry for classifying data,
  systems, users and connections

* Agreed levels of strength of security mechanisms.

"The Royal Mail architecture sets out proposed solutions for
classification levels and corresponding security solutions based on
open standards," said David Lacey, director of security and risk
management technology at Royal Mail.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.