DTI bemoans security standard take-up

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/News/1138801

By Gareth Morgan 
17-02-2003
 
UK firms may be compelled to take data protection more seriously The
UK government is considering ways of improving the "appalling"  
take-up of security standard BS7799, as fears over IT security
failures grow.

The havoc created by worms such as SQL Slammer has alarmed the
government, alongside concerns that IT security does not have a high
enough priority for businesses.

Slammer caused $1bn (£620m) worth of damage globally, despite a patch
being released eight months previously.

David Hendon, director of communication and information industries at
the Department of Trade and Industry (DTI), warned that, unless
business leaders gave IT security a higher profile, security standards
such as BS7799 could become mandatory.

Speaking at the Protecting Critical Information Infrastructures
conference in London, Hendon said: "There comes a point at which
society cannot allow the corporate equivalent of train crashes to keep
happening. Corporate responsibility will have to be considered."

BS7799 provides a framework for implementing a security policy. The
lack of firms that have achieved accreditation has worried the
government. Currently, only 80 certificates have been awarded to UK
companies.

This is an "appalling" figure, according to Hendon. But he admitted
that his own department, the DTI, is unlikely to devote money to
seeking accreditation until it is forced to.

One way to encourage firms to seek accreditation would be through
existing data protection laws, according to lawyers.

The Information Commission has started including a question on BS7799
certification in its annual data protection forms.

Under the Data Protection Act, companies holding personal data are
required to ensure that it is stored securely.

The Information Commission could assume that, if a firm is not
signed-up to BS7799, its data is not secure, making accreditation a de
facto requirement, said Jonathan Armstrong, technology lawyer at law
firm Eversheds.

But businesses would oppose the imposition of standards.

Jeremy Beale, head of e-business at the Confederation of British
Industry, insisted that the need for information security is not
disputed, but that it should be "achieved through encouragement" not
force.

He suggested that this could be done by favouring accredited firms in
government tenders.

Companies are also being put off because of the perceived costs,
according to David Lacey, head of information security and governance
at Royal Mail Group.

But, after going through the accreditation process twice, he described
this as a misconception. "It is a very efficient way of improving
security procedures," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.