The recent I Love You (ILY) virus, which caused damage in excess of $4.1 billion to hundreds of companies worldwide, has once again highlighted the necessity for an effective corporate information security policy.
"Companies with clear and sensible policies that are in line with internationally accepted standards are increasingly being differentiated from those who take a 'wait-and-see' attitude," says Piet Opperman, President of the IT Users Council, and member of the newly established SABS sub-committee to develop a Code of Practice (COP) for South African information security management systems. "Those companies which do not have a security policy, or do not enforce it will eventually be labelled as being vulnerable to virus outbreaks. Eventually, their customers will start to question their security capabilities and they could begin to lose business."
This sentiment is echoed by sub-committee chairman, Prof Basie von Solms of the Department of Computer Sciences at Rand Afrikaans University, who is renowned for his expertise in the field of information security. "The ILY virus was able to unleash itself because its recipients opened the email attachment. Either those companies did not have an email security policy in place, or if it existed, it was not adhered to."
According to Von Solms, many companies worldwide base their security policies on the internationally accepted British Standard Institute's BS 7799 Code of Practice for Information Security Management (1999). The SABS sub-committee is also using BS 7799 as a baseline for its work. It suggests the several control measures in Section 8.3.1, which include:
- A formal policy to protect against risks associated with obtaining files and software from or via external networks, or on any other medium, indicating what protective measures should be taken.
- Checking any electronic mail attachments and downloads for malicious software before use. This check may be carried out at different places, e.g. at electronic mail servers, desk top machines or when entering the network of the organisation.
"The company that follows BS 7799 would have had these measures in place, as well as others relating to information security awareness and disciplinary action," says Von Solms. "Employees would consequently have been more aware of the risks, and would probably have picked up the virus before it could inflict damage."
"Modelling your company's information security management on BS 7799 is an investment which can go a long way towards protect your company against similar attacks in the future," he continues.
"This is not the IT Manager's responsibility, but rests with top management who must formally commit themselves to a BS 7799-based information security plan that focuses more on procedure rather than a technical solution," Von Solms concludes.
Share