Professional Documents
Culture Documents
IN YOUR BUSINESS
Information Security:
A Business Manager’s Guide
The DTI drives our ambition of
‘prosperity for all’ by working to
create the best environment for
business success in the UK.
We help people and companies
become more productive by
promoting enterprise, innovation
and creativity.
0iii
This guide provides an introduction to information security for
business managers. It provides help and advice so that you can
start to address the issues of information security. It describes
what information security is, why it’s important and how to
implement appropriate information security solutions. Find out how
to identify the risks your business faces, and how to work out the
security requirements needed to minimise them. There’s also
guidance on how to develop a security policy, the supporting
security roles and responsibilities you should consider, and how
to use best practice controls to manage your risks.
Who this brochure is for: any business that wants advice and
help when addressing its information security issues.
What it covers: the steps you can take to start to ensure your
business information is better protected.
Contents
02 What is information security? 10 What risks do I face and
what security do I need?
03 What information should I protect?
12 How do I develop my information
04 Why is information security security policy?
important to me?
13 Information Security Policy Statement
06 What is the best approach
to provide security? 14 How do I provide security solutions?
08 BS 7799 – Information security 16 Further help and advice
starting point
09 What security roles and responsibilities
should I consider?
What is information security?
In business, having the correct information at the right time can make the difference
between profit and loss, success and failure. Information security can help you control
and secure information from inadvertent or malicious changes and deletions or from
unauthorised disclosure.
02
What information
should I protect?
You should protect all information that is We all demonstrate aspects of information
sensitive, critical or is of commercial value security in our everyday lives. For example,
to your organisation. Information can exist we make sure that deeds and insurance
in many forms. It can be: documents are stored safely so that they are
available when we need them. We also check
• printed or written on paper that the information contained in bills or
• stored electronically bank statements is correct.
• transmitted by post or using electronic
Your company information should be treated
means
in the same way.
• stored on tape or video
• spoken in conversation.
03
Why is information security
important to me?
Information is an essential resource for all Information also needs to be protected if you
businesses today; it can be the key to growth share it with other organisations.
and success. For many businesses, the Internet has
replaced traditional paper based ways of
Sharing information is an increasing exchanging information. It has enabled
business activity. Your information is a key information to be sent and received faster,
business asset that is very valuable. Its more frequently and in greater volume –
availability, integrity, and confidentiality may not just simple text but also multimedia.
be critical for the continued success of your Today it is quite common for companies to
organisation. Your security can be breached use the Internet for exchanging information
in a number of ways, for example by system and for e-commerce.
failure, theft, inappropriate usage,
unauthorised access or computer viruses. The Internet brings its own security issues
which businesses need to consider.
The impact of an information security breach
may be far greater than you would expect.
We automatically protect our house and
Not only will the loss of sensitive or critical
valuables from unauthorised entry, theft
business information directly affect your
and damage.
competitiveness and cash flow, it could also
damage your reputation and have a long-term
detrimental effect. It might take an Your company information requires the
organisation ten years to establish its same protection.
reputation and image as a trustworthy and
reliable business but a security breach could
destroy this in a matter of hours.
04
“It won’t happen to me”
05
What is the best approach
to provide security?
The best way of providing information security Part 2 of BS 7799 defines a management
is to use a well-tried and tested approach to framework for identifying security
meet your own specific security requirements. requirements and applying the best practice
This will ensure that you concentrate on the controls defined in ISO/IEC 17799. Part 2
important areas. defines a step-by-step process which can
be used to design, implement and maintain
The British Standard, BS 7799, helps an effective information security
businesses implement best practice in management system:
information security management. Part 1 of
this standard is a code of practice. It was • Design the management system for
originally published in 1995 and revised in protecting your information. This sets the
1999. It then became an international standard policy and objectives of information
ISO/IEC 17799 in 2000. This standard provides security, assesses your security risks,
a comprehensive set of security controls evaluates the options for treating the
comprising the best information security risks, and selects controls from ISO/IEC
practices in current use by organisations across 17799 to reduce the identified risks to an
the world and in all market sectors. Its acceptable level. Spending on controls
objectives are to provide organisations with a should be balanced against the value of
common basis for information security and to the information and other assets at risk,
enable information to be shared between and the implications of these risks for
organisations. your business.
06
• Implement the management system by Both ISO/IEC 17799 and BS 7799 Part 2 can
putting into practice the selected controls be used by any size of business in any
to manage the identified risks. This sector, with any type of information system,
includes implementing suitable whether manual or computerised.
procedures, providing appropriate
awareness and training, assigning roles
and responsibilities and deploying any
necessary technical controls.
07
BS 7799 – information
security starting point
There are some controls in ISO/IEC 17799 We protect our personal possessions and
which are applicable to all business valuables based on our understanding of the
environments. Of course the implementation risks we face. You should protect your
will vary depending on the risks the corporate information systems using a
business faces. These basic starting point similar systematic approach and introduce
controls include: relevant countermeasures to deal with and
manage the risks your business faces.
LEGISLATIVE REQUIREMENTS
08
What security roles and
responsibilities should
I consider?
An important implementation aspect is the • Asset owners should be accountable for
definition and allocation of roles and the protection of assets in accordance
responsibilities for information security. All with the information security policy and
staff within your organisation should know supporting procedures.
who is nominated to fulfil these roles and
what their own general responsibilities are in • Users should follow the information
this respect. This is essential for the effective security policy and supporting procedures.
application of the organisation’s information
security procedures.
Responsibilities may vary according to the
size and nature of the organisation. Some
For example:
smaller businesses may not need a full-time
information security manager, but
• Chairman or CEO should provide
nevertheless this role should be clearly
management direction and support for
defined within an employee’s job description
information security and formally approve
and should be put into practice in the day-to-
the company’s information security policy.
day operation of the business. Large
organisations may need to employ a team of
• An information security policy owner people to support the role of a full-time
should be identified. He or she should be information security manager.
responsible for the publication, distribution,
maintenance and review of the policy. These security roles and responsibilities
should complement the business processes.
• Senior management should actively
support and implement the policy within To protect our own possessions and
their own business areas. They should valuables, we make sure we have effective
also ensure staff are aware of their security in place. Similarly, someone in your
responsibilities as well as security issues organisation should take responsibility for
generally. ensuring that company information is
appropriately protected.
• An information security manager should
ensure that the information security policy
and supporting procedures are properly
implemented.
09
What risks do I face and
what security do I need?
10
IMPACTS All organisations depend on information to
Having identified assets and threats you drive their business processes. Much of this
should then look at the possible impact to information is stored and processed on
your business if the worst happens. If your computers and exchanged over public
sensitive or critical information were lost or networks. Information processing technology
damaged could you recover it and how has revolutionised the world of business,
much would that recovery cost? If a back up opening up new ways of working,
of the information were kept then the cost of particularly e-commerce.
recovery would be minimal. If no backup is
in place, what is the cost of reproducing this E-commerce means that you will need to
information? In addition there could be a consider and assess the level of risk involved
cost resulting from the theft and/or misuse of in linking up with a third party such as a
information. To take the example of the trading partner. The DTI publication
laptop, the stolen information could be sold ‘Information Security: Business Assurance
to a competitor resulting in a possible loss of Guidelines’ provides more detailed advice.
revenue and a subsequent downturn in Copies of this and other publications can be
profit. Awareness of such an impact provides downloaded or ordered from the DTI website
a measure of both how important the asset at www.dti.gov.uk/industries/information_
is to your business and the level of the security. Alternatively, copies can be ordered
protection that should be considered. from the DTI’s Publications Orderline on
0870 150 2500, quoting URN 04/625.
CONTROLS
Using this information, you can then We all make a form of risk assessment when
determine the level of security necessary to we decide how to protect our personal property
protect your assets and to ensure effective and possessions. We start by identifying
use of your organisation’s resources. This what needs to be protected and its value and
should result in an appropriate system of importance to us. We then evaluate the
controls and procedures. threats that we may face from thieves,
vandals and the environment and we make a
decision about the necessary steps to take to
provide appropriate protection.
11
How do I develop my
information security policy?
12
Informati
on Secur
Policy Sta ity
tement
OBJECT
IVE
The purp
ose and
informati objective
on assets of this In
to ensure (note 1) formatio
business from all n Securi
and busin continuit th reats, wh ty Policy
y, minim ether inte is to pro
ess oppo ise busin rnal or e tect the c
rtunities e xternal, ompany
. ss dama d e ’s
POLICY ge a n d maxim lib e rate or acc
ise return idental,
• The C on inves
hief Exec tments
• It is th utive Off
e Policy icer has
of the [c approve
o d the Info
a Inform mpany] rmation
ation wil to ensure Security
l be prote th at: Policy.
and avail c ted
b Regu ab ilit y (n fr o m a loss of: c
latory an ote 4). onfidenti
c Busin d legisla ality (no
ess conti ti ve requir te 2), inte
d Inform n u ity plans em e nts will b grity (no
ation sec will be p e met (n te 3)
e All bre urity train ro duced, m o te 5 ).
aches of ing will b aintained
investiga informati e availab and teste
te d by, the o n s e c urity, actu le to all staff. d (note 6
• Guida ).
nce and Informati al or sus
handling p rocedure o n Securi p ected, w
, informa s will be ty Mana ill be rep
tion back produced ger. orted to,
• The ro up , system to s up p ort this p and
le and re a o li
manage sp o nsibility c c ess, virus c y. These m
of the de controls, a
Informati
informati
on securi signated password y/will include incid
on Secu ty and to Informati s and en ent
• The d rity Polic provide on Secu cryption
y. advice a rity Man .
esignate nd guida ager (note
maintain d owner nce on im 7) is to
ing and of the In plementa
re v fo rm a tio tion of the
• All m ie wing the n Security
anagers Informati Policy [n
their bus a re directly re o n Securi a m e] has dir
iness are sponsible ty Policy ect respo
as. for imple . nsibility
• It is th m e for
e respon nting the
sibility o Informati
f each em on Secu
ployee to rity Polic
NOTES adhere to y within
the Inform
1 Inform ation Se
ation take curity Po
s many fo licy.
tran
smitted b rm
s and inc
2 Confi y post or ludes data
dentiality u sin g electronic printed o
: e means, s r written
3 Integri ns uring that tored on ta on paper,
ty: safegu informati p stored ele
a rding the o n is accessible e o r video, spoke ctronically
4 Availa accuracy o n in conv ,
bility: ens a nd n ly to a uth e rsation.
5 This in uring that complete orised ind
cludes th authorise ness of in ividuals.
e require d users h formation
Compute ments of ave acces and proce
r Misuse legislation s to relev ssing me
Act and th such as th ant inform thods.
6 This w e Copyrig e ation whe
ill ensure h t, C ompanies n require
7 Depe th at inform D esign and Act, the D d.
nding on ation and Patents A ata Prote
the size a vital serv ct. c tion Act, the
nd nature ices are a
of the bu vailable to
siness this users wh
Signed _ may be a enever th
ey need th
________ part or fu em.
________ ll-time role
____ Tit for the no
minated p
(The Poli le ______ erson.
cy wil ________
not more l be revie ______
than 1 ye wed by Date ___
ar from th the designated o ________
e date sig wner of _______
ned) the Inform
ation Se
curity Po
licy, typic
ally
13
How do I provide
security solutions?
14
decide on the system best suited to your Safeguarding of organisational records
requirements, and you will need to find a You will probably find that you are doing
reputable supplier who can provide you with much of this as part of your compliance with
an effective system and appropriate after sales the Companies Act. You should, however,
care. Your organisation should be subject to ensure that organisational records held on a
the same form of risk assessment so that you computer also comply with the Act.
can decide on the proper level of protection.
Data protection and privacy
of personal information
ESSENTIAL CONTROLS FROM A The processing and transmission of personal
LEGISLATIVE POINT OF VIEW data is subject to legislative controls.
Intellectual property rights (IPR) Principle 7 of the 1998 Data Protection Act
You will need to implement appropriate (DPA), requires organisations to demonstrate
procedures to ensure compliance with legal to the Information Commissioner that
restrictions such as copyright, design rights, adequate mechanisms are in place to
patents or trade marks. Copyright prevent unauthorised/unlawful processing,
infringement can lead to legal action that or accidental loss or damage to personal data.
may involve criminal proceedings. The Act came into force on 1 March 2000.
15
Further help
and advice
16
GENERAL BUSINESS ADVICE
You can also get a range of general business
advice from the following organisations:
England
• Call Business Link on 0845 600 9 006
• Visit the website at www.businesslink.gov.uk
Scotland
• Call Business Gateway on 0845 609 6611
• Visit the website at www.bgateway.com
Wales
• Call Business Eye/Llygad Busnes on
08457 96 97 98
• Visit the website at www.businesseye.org.uk
Northern Ireland
• Call Invest Northern Ireland on
028 9023 9090
• Visit the website at www.investni.com
Published by the Department of Trade and Industry. www.dti.gov.uk
© Crown Copyright. URN 04/623; 04/04