About
Subscribe

Planning a security management strategy

By Andrew Brown, Division Manager, Spartan Technology Rentals
Johannesburg, 23 Jun 2000

How many IT managers tasked with the responsibility of planning a network security strategy know where to begin? Fortunately this problem has been tackled extensively and there is some very good information available, so no need to re-invent the wheel. One of the best documents on this subject is the British Standard: `Code of Practice for information Security Management` (BS7799).

BS7799 is a practical guide for managing your information security and was compiled by a group of leading companies including: British Oxygen Company, BT, Marks and Spencer, Midland Bank, Nationwide Building Society, Shell and Unilever.

Why do we need a standard?

  • The code was developed in response to demand from industry and commerce, to combat a variety of threats from, for example, physical disaster, fraud and industrial espionage. The code is a valuable practical tool
  • The standard provides a more rigorous basis for the management of security in an open environment, particularly in relation to electronic trade
  • The standard is essential in ensuring the security of a network shared with your business partners, suppliers or customers

How does it work?

Information security management protects assets in three ways:

  • Confidentiality - protecting information from unauthorised disclosure
  • Integrity - safeguarding the accuracy and completeness of information
  • Availability - ensuring information is available when required

The standard sets out not just what the problems are, but how to solve them

How is it implemented?

  • The code describes about 100 individual security controls under 10 major security headings
  • You can identify the controls appropriate to your particular business or specific area of responsibility
  • Effective security measures and secure operating procedures as practised by the leading companies are set out in detail in the Code of Practice (CoP)
  • The complete range of security issues is covered, from policy to compliance, including legal and contractual requirements

Share

Editorial contacts

Andrew Brown
Dynamic Recovery Services
andrewb@drs.co.za