Standards
| Title | NZS4444 |
|---|---|
| Description and Details |
Introduction
Welcome Mr Williams, Mr Wraight, ladies and gentlemen. It is a pleasure for me to be here today at this most timely launch of the substantially revised AS/NZS 4444 Information Security Management Standard. I represent Standards Australia as chairman of the committee of experts responsible for the content of this standard and the community of business (including Telstra where I have a security management role) that will benefit from the use of this standard. My interest in information security management area goes back to the early 1990’s when I was leading a team doing research into the ‘new’ security technologies. It was a common experience for people to come and ask me if I could help them with encryption. I knew how hard it is to implement encryption in a sound manner, so I soon started to ask what they wanted to do, and how encryption was going to help them achieve their security objectives. Usually they didn’t know, so I saw that if I was to add value with new security technology, I would have to help with the management dimension as well. So began my journey down the road of security policies, security objectives, and security risk management. Initially, I started from scratch and formed a team from various Telstra areas concerned with security to develop a security policy for IT and network systems. Then followed work to document generally agreed security control environments. It didn’t take me long to realise that it is impractical to do a detailed risk analysis for every security control, and that in many cases there is sound and accepted practice that should be followed. It was at that stage I heard about work being done by Shell on a concept that they called a ‘security baseline’. That sounded good to me and our team developed a Telstra security baseline – and realised just how hard it is to do well. It’s hard to know how to organise requirements. It’s hard to know what level of detail to include. It’s hard to know where to be prescriptive and where to allow options. It’s hard to know how much background material to include. Origins As I worked on the Telstra security baseline, I discovered that in the UK companies including Shell, Midland Bank, Marks and Spencer, BOC, Unilever had come together to do exactly the same thing; but by pooling their experience they produced something of an industry consensus position. This initiative was recognised by the UK Government Department of Trade and Industry as an industry enabler and by the British Standards Institute as a standardisation initiative that should be formalised. The standards community in Australia and New Zealand saw the value of the UK initiative. Rather than duplicate effort locally, we have been working with the UK committee to develop a standard that can be used both there and here. The standard is now being used in the UK, Netherlands, Sweden as well as Australia and New Zealand. A number of other countries are also interested in this standard and efforts are being made to have it adopted internationally as an ISO standard, starting with Part 1. A key feature to note is that this standards has its origins in industry and its requirements directly relate to the needs of commercial organisations. The recent review has included changes to make it more relevant to small and medium enterprises and to include matters concerning the internet. Business Objectives This standard can be used: within an organisation to specify how to do security; as a means to establish trust when different organisations interconnect their systems as part of business arrangements; and as a basis for independent assessment of how ‘good’ security is. Increasingly, the standard will also be able to be used as a basis for establishing trust between organisations and their customers. Internal Security The original intention of the authors of this standard was to establish best practice for security within an organisation. This is necessary to allow managers to be confident that security risks are well managed (and to keep the auditors off their backs). The first part of the standard does this by first outlining the objectives (or outcomes) – actually 36 of them in 10 categories - that are required and then providing information about security controls - actually 127 of them - that can be used to meet these objectives. However, it doesn’t take long before a greater need is recognised, security of on-line business to business links. Business to business e-commerce Over recent years, it has become increasingly common for companies to form on-line links to their suppliers and business partners. Typically this may be for application maintenance purposes, but may also be associated with outsourcing or business to business e-commerce. In such cases, there is a real possibility that poor security in one organisation many expose others to serious risks. The problem to be solved is to find a basis for establishing confidence in what your partner does. Initially the approach was for one partner (the biggest one) to impose its policies and standards on the companies they interconnect with. However, as many organisations deal with many others, this approach is obviously impractical. The solution is to use a common security management framework and this standard is an excellent starting point for this. Independent assessment To achieve real efficiencies, a regime where security arrangements can be assessed by an independent third party is desirable. In a well designed scheme, security management certification can be recognised by many parties according to the business arrangements they wish to put in place. Part 2 of AS/NZS 4444 specifies an information security management system that can be used as a basis for such certification. This standard does for security what ISO 9000 does for quality. Conclusion This standard is a valuable aid to doing ‘commercial grade’ security well. It is no golden bullet, but does provide a framework that ensures that nothing important will be overlooked. It allows security professionals to ‘hit the road running’ and quickly get to the task of designing solutions for particular problems without having to spend a lot of time on the preliminaries. If you like, it may not be the end, but it is certainly the beginning of the end. Ross Wraight, Chief Executive, Standards Australia I would like to thank John Snare for his introduction and overview of the standard- a document which, I believe, will become increasingly relevant as we move into the new millenium. I am also pleased to see so many people here today to witness this important launch. You know, almost every week in the IT sections of our major newspapers, you can read about the impact of breaches of information security - hackers who plant viruses, denial of service attacks……it’s very topical and is likely to become more so.. Standards Australia comes to this launch with 2 perspectives: Firstly, as part of Australia’s technical infrastructure and secondly as a business for whom the internet and e-commerce are a critical part of our growth strategy. As a national provider of technical infrastructure, we are committed to assisting industry by developing and adopting standards that facilitate e-commerce – standards like those relating to electronic funds transfer, identification cards and today’s standard covering the security of information. And in developing “e-standards”, we have used the technology associated with the internet for our Committee work in this area – an electronic committee working system. Secondly, as a business in its own right, Standards Australia aims to be at the forefront of e-commerce. Our core services have been on the web since mid 1997, and our site is visited by almost 2000 people every day - one quarter of them from overseas. In fact, we are in the top 20 shopping sites Australia-wide, up there with the ABC shop, Myer Direct and David Jones. We well appreciate the need for “e-standards”. Before talking about the information security standard, a brief background on Standards Australia…. We are Australia’s leading Standards, business systems and conformity assessment company, with operations across the country and internationally. We produce most of the business, technical and commercial standards used in Australia, representing one of the country’s largest intellectual property reservoirs . We rank 12th in the world standards league, but lead the field in e-commerce activity. There are currently over 6,500 Australian Standards. They’re maintained by approximately 8,000 voluntary experts serving on around 1,700 technical committees. Our Technical Committee members are the lifeblood of standardization – their contribution to Australia’s wellbeing, in terms of time and expertise, cannot be overestimated. Every day of the year, 2 or 3 of our committees are meeting as part of the standards development process – a commitment to the national interest that if valued in dollar terms would run into the millions not to mention the intellectual property which is being added to the body of Australian know-how Our development time for standards now conforms with world’s best practice and as I’ve already mentioned, we lead the world in electronic distribution. Standards Australia is proud to be the first national standards body able to offer all of our 6500 Australian standards and other documents individually downloadable from the Internet. We were not just the first Standards body to put our products on the web, we are the only place in the world you can get ISO and IEC standards on line. Any business from anywhere in the world can now purchase and instantly access the 12,000 international Standards issued by ISO and the couple of thousand issued by the IEC - a selection of the world’s leading intellectual property ….some 20,000 technical and management system standards in total – all available on the world wide web 24 hours a day, 7 days a week and individually downloadable. Through our work in this area, we’ ve recognised that there are many aspects of e-commerce which would benefit from a standardized approach. That’s why one of our important initiatives in the near future is to establish a high level steering committee to identify and guide the development of e-standards. We want people on this committee who are involved in the business development strategies within their own organisations and who understand the business imperatives which underpin e-commerce in their industry sector. As John has said, what this joint Australian/New Zealand standard provides is a framework for developing and maintaining confidence in an organisation’s ability to manage its information security risk. It is recognised by some of Australia’s largest companies such as Shell, Coles, Qantas, Telstra, Westpac, ANZ and ASX, as integral to protecting the privacy, integrity and availability of their information. It also addresses the needs of small and medium sized enterprises There are a number of real benefits to business in this new standard. Firstly, it offers a flexible means of promoting ‘best practice’ in industry rather than a minimal compliance with legal requirements. Secondly, it sets out a comprehensive framework for managing information security and assessing risks. Thirdly, it provides a tool which protects the confidentiality, integrity and availability of information assets. Implementation of such a system will develop confidence for management, business partners and consumers. It operates without stifling industry’s attempts to innovate. It can be designed for the specific requirements of an industry. It saves organisations re-inventing the wheel. It can provide quick, low cost dispute resolution procedures that are favoured by both consumers and business. And it can be combined with other forms of regulation, allowing for a mix of regulatory approaches. There is also the prospect that this standard could be taken up internationally. It is currently going through the formal process to be adopted as an international standard, and we expect to know the outcome of this by August 2000. John has mentioned how this standard specifies a system which can be used as a basis for a 3rd party certification scheme. The Joint Australian/New Zealand body, JASANZ, is currently in the process of setting up the accreditation component of such a scheme. This is being done in response to industry requests for independent certification. Standards Australia surveyed a number of sectors to assess industry interest – sectors like finance, education, retail, communications – and it became evident that there is very strong industry support and that it is a high priority for them. Once operational, a 3rd party certification scheme will give companies a way of demonstrating to their customer and their business partners that they can be trusted to manage the risks associated with their information systems. This will contribute greatly to building consumer and business confidence in e-commerce. It will place Australian industry in a stronger position to respond to the concerns of consumers and the changing global regulatory environment for the protection of information. It supports a number of emerging technologies (eg. smart-cards and digital signatures) to have an established information security framework in which to operate. It also allows the private sector to improve capabilities for protection of the National Information Infrastructure – an area which I know is of major importance to the Federal Government. Before I conclude, I would like to thank the committee members and others involved in the development of AS/NZS 4444. Committee IT/12/4 - Information Security Techniques The committee that overseas IT/12/4 which is IT/12 - Information, Security and Identification And the e-commerce Standards development team headed by Roger Lyle |
| Web Link | http://www.standards.org.au/cat.asp?catid=45&contentid=359&News=1 |