hat is the message behind the newly revised standard AS/NZS 4444:1999 Information security management Part 1:General which has recently been published.

With the onslaught of modern information technologies, information can be exchanged globally at a formidable rate, and companies who would not have even considered doing business with one another due to sheer physical distance, are able to do so with relative ease. Research into the original British standard BS 7799, on which AS/NZS 4444 is based, began nearly 10 years ago, when the ubiquity of the Internet and e-commerce was barely imagined. Big business, particularly multi-national conglomerates were quick to realize the potential for a commercial ‘gold-rush’ via the ‘information superhighway’. They also realized the inherent risks in information being exchanged globally without appropriate checks and controls. Demand grew for an international standard to ensure business interests would not be compromised through e-commerce, and equally importantly, that privacy and copyright issues were to be addressed (such as inappropriate information being posted on Internet sites).

The new version of AS/NZS 4444 is virtually a replica of the British standard and therefore has international acceptance, says John Beatson, who chaired the NZ committee which worked on the standard and who has his own information security company Integrity Plus. The Standard has been written to reflect the new business environment, including mobile computing (laptops), third party access to computer networks, e-commerce, publicly available systems (the Internet) and mobile phones. The main difference between the British standard and AS/NZS 4444 are the appendices in the joint standard, which refer to the relevant New Zealand and Australian legislation. In New Zealand this means primarily the Privacy Act 1993 and the Copyright Act 1994. In Britain all information posted on the Internet will very shortly be subject to the same laws as phone calls and surface mail, that is, digital messages will only be retrievable from their owners, although penalties are yet to be decided. Andrew Mason from BSA Consulting Group and also a member of the committee working on the standard says that the legislation here is largely ‘toothless’. Our legal controls on such activities as hacking or creating viruses are minimal, whereas overseas, such as in the United States, hackers can go to jail if caught. Companies and individuals in New Zealand have very little legal protection against people tampering with their electronic information systems and therefore it could be argued that the need for a good information security standard in New Zealand’s unregulated environment is even greater, Mason says.

Jim Higgins former chairman of the New Zealand Internet Society has been lobbying for legislative controls on e-commerce. The Justice Department has released a bill which seeks to amend the Crimes Act to include Internet infringements, but hopes of getting it included in the current government’s legislative timetable is slim, he says. Without such legal recourse, e-commerce in New Zealand will have difficulty progressing, he says.

Overseas e-commerce is booming - in the United States over the Christmas period alone, e-commerce sales climbed to US$12 billion - a 300 % increase over sales in the previous years holiday season. But without adequate controls on their web sites business face huge risks - as demonstrated by a recent case in the news, of a music retailer blackmailed by a computer hacker for a ransom of US$100,000, for stolen credit card numbers. To avoid such commercial disasters AS/NZS 4444:Part 1 provides general guidelines and principles which businesses should follow including controls specifically written for e-commerce such as: authentication of customers and suppliers; payment protocols; procedures for disputes.

As Mason says however, the Standard is based on the principal that information systems security does not merely refer to electronically transmitted data, but information in all forms, from paper based systems, to mobile phones, fax machines, to the physical security of your office space. "There’s not much point of making sure your computer system is watertight and leaving your filing cabinet open."

A new emphasis of the Standard is on risk management. It advises that a proper risk assessment should be considered an integral part of establishing a management system for  information  security.  Investing in risk management should be seen necessary to protect an organization’s assets.

The aim of AS/NZS 4444 is to provide the business world with a standard which has the best set of elements of best practice available on information security management

CER