ACHIEVING BEST PRACTICE

IN YOUR BUSINESS

Information Security: A Business Manager’s Guide

0iii

The DTI drives our ambition of‘prosperity for all’ by working tocreate the best environment forbusiness success in the UK.We help people and companiesbecome more productive bypromoting enterprise, innovation and creativity.

We champion UK business at homeand abroad. We invest heavily inworld-class science and technology.We protect the rights of workingpeople and consumers. And westand up for fair and open markets in the UK, Europe and the world.

Achieving best practice in your business is a key

theme within DTI’s approach to business support

solutions, providing ideas and insights into how

you can improve performance across your

business. By showing what works in other

businesses, we can help you see what can help

you, and then support you in implementation.

This brochure focuses on these solutions.

Contents

02 What is information security?

03 What information should I protect?

04 Why is information security important to me?

06 What is the best approach to provide security?

08 BS 7799 – Information security starting point

09 What security roles and responsibilities should I consider?

10 What risks do I face and what security do I need?

12 How do I develop my information security policy?

13 Information Security Policy Statement

14 How do I provide security solutions?

16 Further help and advice

This guide provides an introduction to information security forbusiness managers. It provides help and advice so that you canstart to address the issues of information security. It describeswhat information security is, why it’s important and how toimplement appropriate information security solutions. Find out howto identify the risks your business faces, and how to work out thesecurity requirements needed to minimise them. There’s alsoguidance on how to develop a security policy, the supportingsecurity roles and responsibilities you should consider, and how to use best practice controls to manage your risks.

In many ways, protecting information is similar to protecting yourown personal possessions and valuables. This analogy is usedthroughout the guide to help you understand what’s involved.

Who this brochure is for: any business that wants advice andhelp when addressing its information security issues.

What it covers: the steps you can take to start to ensure yourbusiness information is better protected.

02

What is information security?

02

In business, having the correct information at the right time can make the differencebetween profit and loss, success and failure. Information security can help you control and secure information from inadvertent or malicious changes and deletions or fromunauthorised disclosure.

02

There are three aspects of informationsecurity:

CONFIDENTIALITY

Protecting information from unauthoriseddisclosure, perhaps to a competitor or to thepress.

INTEGRITY

Protecting information from unauthorisedmodification, and ensuring that information,such as a price list, is accurate and complete.

02

AVAILABILITY

Ensuring information is available when youneed it.

Ensuring the confidentiality, integrity andavailability of information is essential tomaintain competitive edge, cash flow,profitability, legal compliance andcommercial image and branding.

03

You should protect all information that issensitive, critical or is of commercial valueto your organisation. Information can existin many forms. It can be:

• printed or written on paper

• stored electronically

• transmitted by post or using electronicmeans

• stored on tape or video

• spoken in conversation.

We all demonstrate aspects of informationsecurity in our everyday lives. For example,we make sure that deeds and insurancedocuments are stored safely so that they areavailable when we need them. We also checkthat the information contained in bills orbank statements is correct.

Your company information should be treatedin the same way.

What information should I protect?

03

Information also needs to be protected if youshare it with other organisations.For many businesses, the Internet hasreplaced traditional paper based ways ofexchanging information. It has enabledinformation to be sent and received faster,more frequently and in greater volume – not just simple text but also multimedia.Today it is quite common for companies touse the Internet for exchanging informationand for e-commerce.

The Internet brings its own security issueswhich businesses need to consider.

We automatically protect our house andvaluables from unauthorised entry, theft and damage.

Your company information requires the same protection.

04

Why is information securityimportant to me?

Information is an essential resource for allbusinesses today; it can be the key to growthand success.

Sharing information is an increasingbusiness activity. Your information is a keybusiness asset that is very valuable. Itsavailability, integrity, and confidentiality maybe critical for the continued success of yourorganisation. Your security can be breachedin a number of ways, for example by systemfailure, theft, inappropriate usage,unauthorised access or computer viruses.

The impact of an information security breachmay be far greater than you would expect.Not only will the loss of sensitive or criticalbusiness information directly affect yourcompetitiveness and cash flow, it could alsodamage your reputation and have a long-termdetrimental effect. It might take anorganisation ten years to establish itsreputation and image as a trustworthy andreliable business but a security breach coulddestroy this in a matter of hours.

04

05

“It won’t happen to me”

Unfortunately a security breach couldhappen to you and maybe it has alreadyhappened but you haven’t yet experiencedthe impact – the effects may not be obviousimmediately. As an increasingly largenumber of companies have found out totheir cost, security incidents and breachesare quite common and are a growingproblem. In the DTI’s 2004 InformationSecurity Breaches Survey, over 70% oforganisations reported that they had suffereda security breach in the previous year.

Copies of the DTI’s most recent Information SecurityBreaches Survey (which is conducted on a biennial basis)can be downloaded or ordered from the DTI’s website atwww.dti.gov.uk/industries/information_security

Hard copies of the survey can be ordered from the DTI's Publications Orderline on 0870 150 2500, quoting URN 04/617 (Technical Report) and URN 04/618(Executive Summary)

05

06

What is the best approach to provide security?

Part 2 of BS 7799 defines a managementframework for identifying securityrequirements and applying the best practicecontrols defined in ISO/IEC 17799. Part 2defines a step-by-step process which can be used to design, implement and maintainan effective information securitymanagement system:

• Design the management system forprotecting your information. This sets thepolicy and objectives of informationsecurity, assesses your security risks,evaluates the options for treating therisks, and selects controls from ISO/IEC17799 to reduce the identified risks to anacceptable level. Spending on controlsshould be balanced against the value ofthe information and other assets at risk,and the implications of these risks foryour business.

The best way of providing information securityis to use a well-tried and tested approach tomeet your own specific security requirements.This will ensure that you concentrate on the important areas.

The British Standard, BS 7799, helpsbusinesses implement best practice ininformation security management. Part 1 ofthis standard is a code of practice. It wasoriginally published in 1995 and revised in1999. It then became an international standardISO/IEC 17799 in 2000. This standard providesa comprehensive set of security controlscomprising the best information securitypractices in current use by organisations acrossthe world and in all market sectors. Itsobjectives are to provide organisations with acommon basis for information security and toenable information to be shared betweenorganisations.

06

07

• Implement the management system byputting into practice the selected controlsto manage the identified risks. Thisincludes implementing suitableprocedures, providing appropriateawareness and training, assigning rolesand responsibilities and deploying anynecessary technical controls.

• Monitor and review the management

system to check it is still ‘fit for purpose’to manage the risks the business faces.This includes monitoring how effectivethe controls are at managing the risks, re-assessing the risks taking account ofany changes to the business, andreviewing policies and procedures.

• Update and improve the management

system to implement changes to existingcontrols as well as putting into practicenew controls to ensure it is maintained as‘fit for purpose’.

Both ISO/IEC 17799 and BS 7799 Part 2 canbe used by any size of business in anysector, with any type of information system,whether manual or computerised.

07

08

There are some controls in ISO/IEC 17799which are applicable to all businessenvironments. Of course the implementationwill vary depending on the risks the business faces. These basic starting pointcontrols include:

LEGISLATIVE REQUIREMENTS

• intellectual property rights

• safeguarding of organisational records

• data protection and privacy of personalinformation.

SOME COMMON PRACTICE

• information security policy document

• allocation of information securityresponsibilities

• information security education andtraining

• reporting security incidents

• business continuity management.

BS 7799 – information security starting point

We protect our personal possessions andvaluables based on our understanding of therisks we face. You should protect yourcorporate information systems using asimilar systematic approach and introducerelevant countermeasures to deal with andmanage the risks your business faces.

09

• Asset owners should be accountable forthe protection of assets in accordancewith the information security policy andsupporting procedures.

• Users should follow the informationsecurity policy and supporting procedures.

Responsibilities may vary according to thesize and nature of the organisation. Somesmaller businesses may not need a full-timeinformation security manager, butnevertheless this role should be clearlydefined within an employee’s job descriptionand should be put into practice in the day-to-day operation of the business. Largeorganisations may need to employ a team ofpeople to support the role of a full-timeinformation security manager.

These security roles and responsibilitiesshould complement the business processes.

To protect our own possessions andvaluables, we make sure we have effectivesecurity in place. Similarly, someone in yourorganisation should take responsibility forensuring that company information isappropriately protected.

An important implementation aspect is thedefinition and allocation of roles andresponsibilities for information security. Allstaff within your organisation should knowwho is nominated to fulfil these roles andwhat their own general responsibilities are inthis respect. This is essential for the effectiveapplication of the organisation’s informationsecurity procedures.

For example:

• Chairman or CEO should providemanagement direction and support forinformation security and formally approvethe company’s information security policy.

• An information security policy owner

should be identified. He or she should beresponsible for the publication, distribution,maintenance and review of the policy.

• Senior management should activelysupport and implement the policy withintheir own business areas. They shouldalso ensure staff are aware of theirresponsibilities as well as security issuesgenerally.

• An information security manager shouldensure that the information security policyand supporting procedures are properlyimplemented.

What security roles andresponsibilities should I consider?

10

Inadequate security measures or procedurescan result in a security breach. On the otherhand, too many controls may be undulyexpensive and time-consuming. Knowing therisks we face and how to manage theseappropriately can enable us to:

• ensure the availability and continuity ofbusiness processes

• reduce unproductive time spent in dealingwith problems

• reduce the cost of downtime and serviceoutage

• protect the brand name and image

• protect our IPR, share value, marketshare, and

• avoid penalties arising from failure tocomply with legal requirements.

Managers make business decisions aboutthe risks they face on a daily basis. It isimportant they have sufficient information tomake informed decisions and to ensureeffective deployment of the organisation’sresources to manage the risks.

Information security risks should beidentified and evaluated to assess the likelythreat to the business. This will allowappropriate decisions to be taken to protectthe business and to help make the best use

What risks do I face and what security do I need?

of the organisation’s resources with regardto security measures and controls.

BUSINESS ASSETS

An important first step in a risk assessmentis to identify your assets and their value orimportance to the business. These could betangible assets such as people andequipment or intangible assets such asreputation and image. For example, do youknow how much sensitive or criticalinformation you have and how important itis to your business? What is the value of thisinformation? Does it need to be protected inorder to comply with legislation?

THREATS

Having identified and valued the assets, thenext step is to consider the threats to theseassets. You also need to consider anyvulnerabilities or weaknesses in yourbusiness processes or systems which thesethreats could exploit. If, for instance, a laptopis left unattended there is an obvious risk ofhardware or information theft if there are noaccess controls in place. You may face thethreat of a virus attack which could damageyour business systems, either through a lackof user awareness of the appropriateprocedures, a lack of anti-virus protection orfailure to update existing anti-virus protection.

11

IMPACTS

Having identified assets and threats youshould then look at the possible impact toyour business if the worst happens. If yoursensitive or critical information were lost ordamaged could you recover it and howmuch would that recovery cost? If a back upof the information were kept then the cost ofrecovery would be minimal. If no backup isin place, what is the cost of reproducing thisinformation? In addition there could be acost resulting from the theft and/or misuse ofinformation. To take the example of thelaptop, the stolen information could be soldto a competitor resulting in a possible loss ofrevenue and a subsequent downturn inprofit. Awareness of such an impact providesa measure of both how important the assetis to your business and the level of theprotection that should be considered.

CONTROLS

Using this information, you can thendetermine the level of security necessary toprotect your assets and to ensure effectiveuse of your organisation’s resources. Thisshould result in an appropriate system ofcontrols and procedures.

All organisations depend on information todrive their business processes. Much of thisinformation is stored and processed oncomputers and exchanged over publicnetworks. Information processing technologyhas revolutionised the world of business,opening up new ways of working,particularly e-commerce.

E-commerce means that you will need toconsider and assess the level of risk involvedin linking up with a third party such as atrading partner. The DTI publication‘Information Security: Business AssuranceGuidelines’ provides more detailed advice.Copies of this and other publications can bedownloaded or ordered from the DTI websiteat www.dti.gov.uk/industries/information_security. Alternatively, copies can be orderedfrom the DTI’s Publications Orderline on0870 150 2500, quoting URN 04/625.

We all make a form of risk assessment whenwe decide how to protect our personal propertyand possessions. We start by identifyingwhat needs to be protected and its value andimportance to us. We then evaluate thethreats that we may face from thieves,vandals and the environment and we make adecision about the necessary steps to take toprovide appropriate protection.

12

How do I develop myinformation security policy?

Management should set clear policydirection and provide support for informationsecurity by means of an information securitypolicy. Such a policy needs to be issuedacross the organisation and should bereviewed and maintained on a regular basis.

It should complement the organisation’smission statement and reflect the desire ofthe business to operate in a controlled andsecure manner.

As a minimum the information securitypolicy should include guidance on thefollowing:

• The definition of information security –scope, objectives and importance to thebusiness.

• A statement of intent from managementsupporting the goals and principles ofinformation security.

• Brief explanation and statementsindicating minimum standards,procedures, requirements and objectivesof particular importance to the business:

• consequences of security policyviolations

• legal, regulatory and contractualcompliance and obligations

• security awareness and educationalrequirements

• prevention and detection of virusesand other malicious software

• business continuity planning.

• Definitions of general and specific rolesand responsibilities for informationsecurity.

• Details of the process for reporting,responding to and resolving securityincidents.

• References to supporting documentation,such as more detailed security policies,procedures, implementation guides orsecurity specifications and standards.

An example of a corporate informationsecurity policy is set out opposite.

OBJECTIVEThe purpose and objective of this Information Security Policy is to protect the company’s

information assets (note 1) from all threats, whether internal or external, deliberate or accidental,

to ensure business continuity, minimise business damage and maximise return on investments

and business opportunities.POLICY• The Chief Executive Officer has approved the Information Security Policy.

• It is the Policy of the [company] to ensure that:a Information will be protected from a loss of: confidentiality (note 2), integrity (note 3)

and availability (note 4).b Regulatory and legislative requirements will be met (note 5).

c Business continuity plans will be produced, maintained and tested (note 6).

d Information security training will be available to all staff.

e All breaches of information security, actual or suspected, will be reported to, and

investigated by, the Information Security Manager.

• Guidance and procedures will be produced to support this policy. These may/will include incident

handling, information backup, system access, virus controls, passwords and encryption.

• The role and responsibility of the designated Information Security Manager (note 7) is to

manage information security and to provide advice and guidance on implementation of the

Information Security Policy.• The designated owner of the Information Security Policy [name] has direct responsibility for

maintaining and reviewing the Information Security Policy.

• All managers are directly responsible for implementing the Information Security Policy within

their business areas.• It is the responsibility of each employee to adhere to the Information Security Policy.

NOTES1 Information takes many forms and includes data printed or written on paper, stored electronically,

transmitted by post or using electronic means, stored on tape or video, spoken in conversation.

2 Confidentiality: ensuring that information is accessible only to authorised individuals.

3 Integrity: safeguarding the accuracy and completeness of information and processing methods.

4 Availability: ensuring that authorised users have access to relevant information when required.

5 This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the

Computer Misuse Act and the Copyright, Design and Patents Act.

6 This will ensure that information and vital services are available to users whenever they need them.

7 Depending on the size and nature of the business this may be a part or full-time role for the nominated person.

Signed _____________________ Title ____________________ Date __________________

(The Policy will be reviewed by the designated owner of the Information Security Policy, typically

not more than 1 year from the date signed)

Information SecurityPolicy Statement

13

14

How do I provide security solutions?

Assessing security risks was covered in thesection ‘What risks do I face and what securitydo I need?’ on p 10. In this section we givesome examples of the security solutions youneed to consider to help reduce your securityrisks to an acceptable level.

A good basis for selecting a system ofsecurity controls is ISO/IEC 17799. Thefollowing are examples of some of the controlsyou should be considering to implementinformation security.

BEST PRACTICE FOR

INFORMATION SECURITY

Information security policy documentThe section on ‘How do I develop myinformation security policy?’ on page 12 ofthis booklet provides advice on this.

Allocation of information security responsibilitiesThe section ‘What security roles andresponsibilities should I consider?’ on page 9of this booklet covers this.

Information security education and trainingYou should provide all employees of theorganisation and, where relevant, third partyusers (such as on-site contractors), withappropriate training. Users should besuitably trained to support the InformationSecurity Policy, as well as the company’ssecurity procedures and the correct use of itsbusiness processes and systems. Theyshould also receive training on the use ofcorrect information processing facilities suchas log-on procedures and policy on the useof software packages, before access toinformation, systems or services is granted.Employees should understand why securityis important, what the company’s policiesare, and their own responsibilities.

Reporting of security incidentsYou will need to provide guidance on theactions that should be taken following anysecurity incident, including procedures forreporting and responding to such incidents.This topic should also be included in yourInformation Security Policy and appropriateeducation and training should be given.

Business continuity managementA business continuity management processshould be implemented to reduce thedisruption caused by disasters and securityfailures, whether these are natural incidentssuch as equipment failures or maliciousincidents such as large scale network attacks.To reduce these risks to an acceptable levelyou will need a combination of corrective,preventative and recovery controls. Ananalysis of the consequences of a disaster,system failure, major security breach and/orsevere loss of service would then need to be undertaken.

You should develop and implementcontingency plans to ensure that businessprocesses can be restored within therequired timescales. You should maintain,test and practice such plans in order toensure that they become an integral part ofyour management processes.

You will find that the identification of yoursecurity risks discussed in the section titled“What risks do I face and what security do Ineed?” on page 10 will help you to identifythe vital business functions that you wouldneed to maintain following a disaster.

If, for example, an assessment of your homehas identified a high level of risk, whetherbecause of the high incidence of localrobberies or perhaps because you are oftenaway from home, you may well decide toinstall a burglar alarm. You will then need to

decide on the system best suited to yourrequirements, and you will need to find areputable supplier who can provide you withan effective system and appropriate after salescare. Your organisation should be subject tothe same form of risk assessment so that youcan decide on the proper level of protection.

ESSENTIAL CONTROLS FROM A

LEGISLATIVE POINT OF VIEW

Intellectual property rights (IPR)You will need to implement appropriateprocedures to ensure compliance with legalrestrictions such as copyright, design rights,patents or trade marks. Copyrightinfringement can lead to legal action thatmay involve criminal proceedings.

Legislative, regulatory and contractualrequirements may place restrictions on thecopying of proprietary material. In particular,this may mean that only material that islicensed or provided by the developer canbe used. Proprietary software products areusually supplied under a licence agreementthat limits the use of those products tospecified machines and may limit copying tothe creation of back-up copies. YourInformation Security Policy will need to haveadequate mechanisms in place to ensurethat all staff comply with the legalrequirements on intellectual property. Youshould introduce a policy requiring all staffto comply with software licences.

15

Safeguarding of organisational recordsYou will probably find that you are doingmuch of this as part of your compliance withthe Companies Act. You should, however,ensure that organisational records held on acomputer also comply with the Act.

Data protection and privacy of personal informationThe processing and transmission of personaldata is subject to legislative controls.Principle 7 of the 1998 Data Protection Act(DPA), requires organisations to demonstrateto the Information Commissioner thatadequate mechanisms are in place toprevent unauthorised/unlawful processing,or accidental loss or damage to personal data.The Act came into force on 1 March 2000.

Further guidance on how the securityrequirements of the 1998 DPA can be met isdescribed in a separate DTI publication titled‘Information Security: BS7799 and the DataProtection Act’. You can download or order acopy from the DTI web site atwww.dti.gov.uk/industries/information_security or alternatively you can phone theDTI’s Publications Orderline on 0870 1502500, quoting URN 04/621.

16

SUPPORT TO IMPLEMENT

BEST BUSINESS PRACTICE

To get help bringing best practice to yourbusiness, contact Business Link – thenational business advice service. Backed bythe DTI, Business Link is an easy-to-usebusiness support and information service,which can put you in touch with one of itsnetwork of experienced business advisers:• Visit the Business Link website at

www.businesslink.gov.uk

• Call Business Link on 0845 600 9 006.

ACHIEVING BEST PRACTICE

IN YOUR BUSINESS

Achieving best practice in your business is akey theme within DTI’s approach to businesssupport solutions, providing ideas andinsights into how you can improveperformance across your business. Byshowing what works in other businesses, wecan help you see what approaches can helpyou, and then support you inimplementation.

To access free information and publicationson best practice:• visit our website at www.dti.gov.uk/

bestpractice

• call the DTI Publications Orderline on 0870 150 2500 or visit www.dti.gov.uk/publications

Further helpand advice

INFORMATION SECURITY ISSUES

For help and advice on information securityissues contact:

The Information Security Policy TeamDepartment of Trade and Industry151 Buckingham Palace RoadLondon SW1W 9SSTel: 020 7215 1962Fax: 020 7215 1966E-mail: InfosecPolicyTeam@dti.gsi.gov.uk

Further guidance and full listing of all ourinformation security publications can be found at: www.dti.gov.uk/industries/information_security

Or look at our information security business advice pages at:www.dti.gov/uk/bestpractice/infosec

For information on data protection, contactThe Information Commissioner’s OfficeWycliffe HouseWater Lane, WilmslowCheshire SK9 5AFTel: 01625 545 745Fax: 01625 524 510Web site:www.informationcommissioner.gov.ukEmail: mail@ico.gsi.gov.uk

GENERAL BUSINESS ADVICE

You can also get a range of general businessadvice from the following organisations:

England• Call Business Link on 0845 600 9 006

• Visit the website at www.businesslink.gov.uk

Scotland• Call Business Gateway on 0845 609 6611

• Visit the website at www.bgateway.com

Wales• Call Business Eye/Llygad Busnes on

08457 96 97 98

• Visit the website at www.businesseye.org.uk

Northern Ireland• Call Invest Northern Ireland on

028 9023 9090

• Visit the website at www.investni.com

Published by the Department of Trade and Industry. www.dti.gov.uk

© Crown Copyright. URN 04/623; 04/04