DATA SECURITY @ the heart of business

Imagine arriving at work to be told: `The computer's crashed. We've lost everything', or `someone's hacked into our customer database and lifted all the confidential information.' It can, and does, happen. According to the 1998 Business Information Security Survey (BISS), more than half the companies surveyed had experienced at least one security breach in the previous two years, and one-in-five had suffered a `serious or significant' breach.

IT security is an unprecedented problem and, as such, many organisations are not fully aware of the value of the information they hold or the consequences of losing it.

The process industry is no exception. Here, as in all industries, IT systems are vulnerable to any number of risks, including computer-assisted fraud, sabotage and vandalism, viruses, breakdown or simple carelessness. Any of these breaches in information security can allow vital information to be accessed, stolen, corrupted or lost at any time. And the true value of that information is not immediately realised - we don't know what we've got `til it's gone!

Fortunately, particularly at a time when Internet usage and e-commerce are burgeoning, help is at hand. It comes in the form of the British Standard BS 7799, which aims to help companies implement best practice in information security management.

Spearheaded by the DTI, and developed with input from leading UK and international companies, BS 7799 reflects the best information security practices currently in use.

The Standard is published in two parts: BS 7799 Part One is a Code of Practice that recommends a series of security controls on which a company may base its information security management system (ISMS), while Part Two provides a basis for external certification of the ISMS.

Designed to help, rather than dictate, BS 7799 provides guidance on all aspects of information security, and suggests more than 100 security measures which can be applied as appropriate. It even recommends a risk assessment to help the company select the controls it requires.

This risk assessment will include an examination of the potential threats and vulnerabilities of a system, and will consider the impact these could have on the business. Once the risk assessment is complete, the appropriate procedures can be selected to form the ISMS, which can then be audited against the accredited certification scheme, called c:cure.

Apart from helping to avoid the damaging consequences of an information security breach, certification to c:cure also gives organisations key advantages over their competitors by providing invaluable additional credibility. It enables an organisation to make a public statement of capability without revealing its security processes or opening its systems to second party inspection, and it will give the organisation confidence in the integrity and security of its systems and processes as measured against the best industry practices.

One organisation to experience all these benefits is UKDCS which provides meter reading and data processing services for the electricity industry. The company remotely collects readings from more than 70,000 meters every day. The security and confidentiality of this information is obviously paramount. Quality manager Pam Pankhurst explains: `BS 7799 provides an ideal basis for a good information security management system and the intelligent way forward.'

As a result of UKDCS's certification by Lloyd's Register Quality Assurance (LRQA), Pankhurst has seen a number of key benefits: `Independent verification of our information management system is highly visible proof of our commitment to the highest levels of information security.' PE

Gerry Ashton is IT and telecomms sector specialist for LRQA.