[ISN] FTSE companies demand common security standards

From: InfoSec News (isn@private)
Date: Tue Nov 04 2003 - 02:40:31 PST

  • Next message: InfoSec News: "[ISN] IT security needs a new metaphor"

    by Cliff Saran 
    4 November 2003 
    UK users seize the initiative as suppliers fail to deliver.
    Ten FTSE 100 companies have joined forces in an effort to drive home
    their IT security concerns to IT suppliers.
    The organisations, which include ICI, BP and some of the UK's biggest
    banks and financial services companies, along with Royal Mail, are
    concerned that suppliers' existing products will not support their
    future business strategies, such as B2B web services.
    The group, which has emerged over the past year, will present its case
    at IT security conferences in a bid to drum up wider support from the
    user community.
    The group is collaborating on an open standards security architecture
    that was originally developed internally by Royal Mail. The
    architecture aims to overcome the limitations of current IT security,
    where products from rival suppliers are unable to share security
    information in a standard way.
    Paul Simmonds, global information security director at chemical
    manufacturer ICI, said "We have to accept that a network cannot be
    kept highly sanitised. We need a more strategic approach to defining
    tools and standards than is available today. Traditional network
    security has reached the end of its life."
    Simmonds, together with David Lacey, director of security and risk
    management technology, services and innovation at Royal Mail, will
    present the group's position in a debate with Tony Kenyon, head of
    security at BT Global Services, at this week's RSA security conference
    in Amsterdam.
    "Unless the industry can agree on a universal security framework, we
    will never be able to exploit the full potential of B2B web services,"  
    Lacey told Computer Weekly. "The IT industry needs to classify
    security in a consistent way."
    Graham Bird of the industry and user forum the Open Group, whose
    members include the NHS Information Authority and the Department for
    Work and Pensions, is backing the initiative.
    Although a business could mandate a set of IT products to achieve a
    level of security throughout the company, Bird said, "It is difficult
    to control security outside your organisation. It is not possible to
    move information in a boundaryless way."
    An example of this is the digital rights management technology in
    Microsoft Office 2003. An Office 2003 user could control access to a
    document but only if recipients of the document were also using Office
    2003 digital rights management.
    "The industry has to stop making all technology competitive. Suppliers
    have to collaborate on standards, and compete on functionality," Bird
    Chris Thompson, vice-president for network security products at IT
    security company McAfee, said suppliers had to face the challenge of
    creating interoperability between security products.
    "There is no event correlation between security products. There is no
    real industry standard to make this work in real time. To achieve
    this, the industry needs to work together," Thompson said.
    However, Thompson warned that the industry was at least five years
    away from being able to deliver this requirement.
    Users have set security agenda >>
    Security proposal
    The group is calling for:
    * A consistent framework across the industry for classifying data,
      systems, users and connections
    * Agreed levels of strength of security mechanisms.
    "The Royal Mail architecture sets out proposed solutions for
    classification levels and corresponding security solutions based on
    open standards," said David Lacey, director of security and risk
    management technology at Royal Mail.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 06:01:52 PST