[ISN] DTI bemoans security standard take-up

From: InfoSec News (isnat_private)
Date: Tue Feb 18 2003 - 00:47:23 PST

  • Next message: InfoSec News: "[ISN] Over 5 million Visa/MasterCard accounts hacked into"

    http://www.vnunet.com/News/1138801
    
    By Gareth Morgan 
    17-02-2003
     
    UK firms may be compelled to take data protection more seriously The
    UK government is considering ways of improving the "appalling"  
    take-up of security standard BS7799, as fears over IT security
    failures grow.
    
    The havoc created by worms such as SQL Slammer has alarmed the
    government, alongside concerns that IT security does not have a high
    enough priority for businesses.
    
    Slammer caused $1bn (£620m) worth of damage globally, despite a patch
    being released eight months previously.
    
    David Hendon, director of communication and information industries at
    the Department of Trade and Industry (DTI), warned that, unless
    business leaders gave IT security a higher profile, security standards
    such as BS7799 could become mandatory.
    
    Speaking at the Protecting Critical Information Infrastructures
    conference in London, Hendon said: "There comes a point at which
    society cannot allow the corporate equivalent of train crashes to keep
    happening. Corporate responsibility will have to be considered."
    
    BS7799 provides a framework for implementing a security policy. The
    lack of firms that have achieved accreditation has worried the
    government. Currently, only 80 certificates have been awarded to UK
    companies.
    
    This is an "appalling" figure, according to Hendon. But he admitted
    that his own department, the DTI, is unlikely to devote money to
    seeking accreditation until it is forced to.
    
    One way to encourage firms to seek accreditation would be through
    existing data protection laws, according to lawyers.
    
    The Information Commission has started including a question on BS7799
    certification in its annual data protection forms.
    
    Under the Data Protection Act, companies holding personal data are
    required to ensure that it is stored securely.
    
    The Information Commission could assume that, if a firm is not
    signed-up to BS7799, its data is not secure, making accreditation a de
    facto requirement, said Jonathan Armstrong, technology lawyer at law
    firm Eversheds.
    
    But businesses would oppose the imposition of standards.
    
    Jeremy Beale, head of e-business at the Confederation of British
    Industry, insisted that the need for information security is not
    disputed, but that it should be "achieved through encouragement" not
    force.
    
    He suggested that this could be done by favouring accredited firms in
    government tenders.
    
    Companies are also being put off because of the perceived costs,
    according to David Lacey, head of information security and governance
    at Royal Mail Group.
    
    But, after going through the accreditation process twice, he described
    this as a misconception. "It is a very efficient way of improving
    security procedures," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 03:19:14 PST