I have started to place my e-mail address at the end of these IS Security Matters columns to encourage feedback and dialogue. The matters discussed here are never drawn in pure black and white, and opposing and supporting viewpoints are welcome. One such reply came in response to the article in volume 6, 2000, titled "Eternal Truth vs. The Next New Thing," dealing with the need for policy and standards for e-business security.
Mr. John Harris of the United Kingdom wrote:
"I've read your article in the Information Systems Control Journal. You seem to be calling for a new set of security/control standards purely for e-commerce, given that the industry is driven by business-oriented persons and subject to rapid change.
"You may have heard of British Standard 7799, Code of Practice for Information Security Management systems. This standard has been implemented in its British Standard form in the UK, Canada, Australia and New Zealand, and has been passed as an international standard to become ISO 17999.
"The outstanding feature of BS 7799 is that it provides a framework to create policy and procedure controls within any information environment, irrespective of industry/culture of the target organisation or the speed of change. It can be promoted within the business-oriented world of e-commerce as being a business differentiator, showing that the organisation implementing it is serious about the security of its information, satisfying investors, customers and business partners.
"As yet, there have been very few full BS 7799 implementations leading to certification (38 so far), however, interest in the standard is growing."
First, thank you, Mr. Harris. Second, yes, I have indeed heard of BS 7799, as well as the US National Institute of Standards and Technology (NIST) Common Criteria for IT Security Evaluation,1 the Canadian Common Criteria Scheme2 and other thoughtful and significant steps toward developing standard approaches to information security. I certainly do not consider myself qualified to anoint any one of them as the standard for information security generally, much less for e-business security specifically, but the very fact of overlapping and competing (if that word may be used) standards raises some questions in my mind:
- Why have different nations generated different standards?
- From where is the demand for these standards coming?
- And, as posed in volume 6, does the evolution of e-business make previously developed standards obsolete or at least a bit archaic?
The Global Phenomenon
Perhaps the most striking development in world affairs since the collapse of the Soviet Union has been the coalescence of commercial interests that we term globalism.3 The ability of companies to do business everywhere with everyone at once has been caused, or at least abetted, by the existence of the Internet, e-mail and the World Wide Web. Thus, the security of the world's business and its IT infrastructure are converging. Does it make sense to differentiate the security needs of Asia from those of Europe from those of North America?
I think it does make sense, because a standard is more than a rule--it is a way of communicating that rule. These standards are not laws, after all. There is no coercive governmental power to enforce them. Their applicability and efficacy must be made apparent; a case must be made. The histories, customs and business practices of different nations (or even of regions) may support telling the same story in different ways. If this results in difficulty for companies doing business globally, what of it? I am not aware of any major instances in which the various standards are actually contradictory. Therefore, in the interest of thinking globally and acting locally, businesses must adhere to the standards they encounter wherever they open their (electronic) doors. If this means that the most stringent rules set the standard, so be it.4 If the rules are too tough, they will be barriers to trade and will topple of their own weight. Otherwise, they set the bar at a commonly agreed-upon height.
Push and Pull
It is notable that the driving force behind information security standards is government. For the most part, industry associations have not developed information security standards. ISACA's COBIT® is a step in that direction, but it is not purely a security standard. On the other hand, many individual companies have developed their own security policies and standards, usually without reference to external bodies. As Mr. Harris notes, only 38 companies have fully implemented BS 7799 and if, as he says, interest is growing, it has yet to have much practical effect.
Frankly, it seems to me that governments, which like things to be orderly and uniform, have never been fully comfortable with information technology, which outpaces any attempt to govern it. The notably anarchic state of e-business must be giving fits to bureaucrats the world over. Therefore, the impetus for common standards in information security is coming from above, not from below. While it is admirable to hold the objective that everyone be secured, it does not necessarily follow that everyone must be secured the same way. Interoperability does not require interchangeability.
The Example of E-business
Some might argue that the globalism mentioned previously necessitates global standards for companies and individuals to do business together. This is largely true, but it does not mean that there must be a single diktat adhered to around the world.
E-business provides some perfect examples. There was no order mandating the use of secure socket layer (SSL) to protect commercial transactions, yet it is so overwhelmingly used that its absence is more noticeable on any e-business site than its presence.5 How did SSL achieve its prominence? The same way VHS video recorders or compact disks did: the marketplace decided. Evolution works quickly in the technical realm. New technologies are rapidly sorted into a few winners and many losers. It is not just that the fittest survive; it is that the survivors take over everywhere.
The existence of market-driven standards actually impedes the adoption of BS 7799 and other government-issued standards. The absence of enforceable rules allows experimentation and rapid deployment of the best solutions. Rigid frameworks stultify change. This is not to accuse any of the standards-making bodies of rigidity, but it does recognize that standards, once issued, are difficult to change.
This applies to marketplace-derived standards as well. It was difficult and expensive to move away from mainframes or copper lines. But there is commercial advantage in being first to market with a better, albeit non-standard, technology. Conversely, there was little advantage to making the best buggy whip when the car replaced the horse.
Am I arguing against standards? Certainly not. Anyone who has traveled internationally and tried to plug in an electric appliance or a phone cord understands the need for standards and global standards at that. They are unquestionably necessary, but they should be developed and disseminated after the market has decided, not before. They should be demand-driven, and so obvious by the time they are propounded that it seems as though they were always in place.
This is not intended as pure free-market ideology. It is merely recognition that information security, especially under the onslaught of e-business, moves too quickly for a priori standards. For now, flexible corporate information security standards are more likely to be implemented than general, society-wide approaches such as BS 7799.
3 Perhaps the best discussion of globalism may be found in Thomas Friedman's The Lexus and the Olive Tree, Farrar Straus & Giroux, 1999.
4 This is precisely the pattern emerging as European privacy standards are pushing American practices in this area.
5 e-Commerce Security--A Global Status Report, Information Systems Audit and Control Foundation, 2000, pp. 45-46.
Steven J. Ross, CISA
is a director at Deloitte & Touche. He welcomes comments at email@example.com.