One of the biggest obstacles cited by people charged with implementing security on their company's computers and networks is a lack of standards. For example, we see some companies delaying the selection of encryption solutions because of fears that business partners and clients may opt for a different, incompatible solution, thus impeding the ability to share data, an ability which is now seen as critical to success in many areas of business.

Ironically, when you start to look for security standards, there doesn't appear to be a shortage. Consider the current security-related working groups of the body that sets the standards for the Internet, IETF (Internet Engineering Task Force). These include: Authenticated Firewall Traversal (aft); Domain Name System Security (dnssec); IP Security Protocol (ipsec); One Time Password Authentication (otp); Public-Key Infrastructure (X.509) (pkix); S/MIME Mail Security (smime); Simple Public Key Infrastructure (spki); and Transport Layer Security (tls).

Unfortunately, much of the work involved in setting any kind of industry standards is, for want of a better word, boring. However, the alternative, a world without standards, would probably be too exciting for most people to contemplate. It is hard to imagine having no standards for the storage of gasoline and the measurement of gallons, but right now there are very few objective standards in key areas of the security world, from firewalls to encryption. This not only makes it difficult to judge the quality of the security solutions that we are offered by vendors, but it also undermines our attempts to assess the quality of our own security, and that of our business partners, suppliers, and clients.

The British Are Coming!

Quality may be turn out to be a key concept in security standards. It is certainly central to what may become known as "the mother of all security standards." But first we must check some facts. Are you familiar with British Standard 5750? Of course you are. First published by the British Standards Institute in 1979, BS 5750 was revised in 1987, then adopted, in 1988, unchanged, as ISO 9000, arguably the most widely recognized standard in business today. In some industries ISO 9000 is practically a prerequisite for doing business. So what do you need to know about BS 7799?

• It is document also known as "A Code of Practice for Information Security Management."
• It was first published in 1995 but significantly updated in 1999
• It provides "a comprehensive set of security controls comprising the best information security practices in current use."

If you are not yet familiar with BS 7799, now is a very good time to look into it, for two reasons. First of all, BS 7799 could well become an ISO standard, to the implications of which we will return in a moment.

Second, unlike some U.S. government security standards, such as NIST Federal Information Processing Standards (FIPS Pubs), the standards issued by the British Standards Institution are strongly business-oriented and make good management tools for companies. Although it does not drill down to technical details, such as specific firewall configurations, BS 7799 very comprehensively addresses four different types of information security assurance that every organization needs (paraphrased from the standards document):

1. organizational assurance, covers organizational and procedural security measures which ensure that information technology and its security functionality are used effectively to provide the level of protection required;

2. product assurance, gives a level of confidence that the security features included in an information technology product will be effective at providing the right level of security;

3. service provider assurance, defines the level of confidence claimed and sought in the security features available from service providers with whom information is exchanged electronically;

4. business trading partner assurance, addresses the level of confidence in the security of information exchanged with trading partners, electronically or otherwise.

The first three items are an excellent way of analyzing an organization's information security concerns, but the fourth is that and more. It takes a step beyond traditional information security theory in order to address one of the biggest areas of network security concern in recent years, the security of the entities with whom you do business. Consider a bank that gives network access to a partner institution that gives network access to a major supplier, who has poor control over its modem connections. I am aware of one banking system penetration test that got all the way to the bank's teller line by dialing into a partner's supplier's modems.

Conclusion

Right now British companies are getting "BS 7799 Certified," through a network of security consulting and auditing companies, approved and sanctioned by the British Department of Trade and Industry (DTI) under the c:cure program. This process will not only improve the security of British companies and the earnings of British security consultants, it will, regardless of ISO adoption, have an eventual effect on U.S. companies. There are two reasons for this. The first involves what the following all have in common: John D. Rockefeller's Standard Oil Company of Ohio, the Jolly Green Giant, Zantac, Phillips Milk of Magnesia, Aquafresh, the Pillsbury Dough Boy, Burger King, and Amoco. That's right, they are all owned by British companies. Now refer to point four above: business trading partner assurance. BS 7799 wisely preaches that a company's information cannot be truly secure if the people with whom it does business do not follow sound information security practices.

Everyone knows that, in today's global economy, made even more global by the Internet and the World Wide Web, it is hard to do business without foreign trading partners. But unlike a lot of people, you have read this column and will not be surprised if some of those partners start pushing for higher information security standards.

Useful Links

Business Manager's Guide to Information Security http://www.dti.gov.uk/SEC/why.htm

BS 7799 web page http://www.bsi.org.uk/bsi/disc/hot_topics/bs7799.html
(note, you will not find the contents of BS 7799 itself on the web, you have to pay for a copy -- see the above site)

c:cure BS 7799 Certification Program http://www.bsi.org.uk/bsi/disc/ccure.html

Computer Assurance Guidelines, Department of Trade and Industry (DTI) http://www.dti.gov.uk/CAG

Federal Information Processing Standards Publications home page: http://www.itl.nist.gov/div897/pubs/index.htm

IETF Security Working Groups: http://www.ietf.org/html.charters/wg-dir.html#Security_Area

---

Updated Spring, 2002 by webloke © Stephen Cobb
Some article content reprinted by permission.
Article content copyright named author(s).