With clients such as Volvo, Saab, ABB, Electrolux, Ericsson and Hasselblad, Swedish consultancy company Gesab Engineering AB must prove that it takes information security seriously.
Many people think of information security as having to do with IT systems. But it encompasses much more than that. No matter how a companys information is stored, be it on PCs, programs, papers, or in employees brains, it should be suitably protected.
BS 7799, the British Code of Practice for Information Security Management, was developed in response to demands by industry, government and commerce for a common framework to enable companies to develop, implement and measure effective security management practices, and to provide confidence in inter-company trading.
Gesab Engineering AB, a consultancy firm in Sweden, is in the process of being certified by DNV. Says Vigleik Bolneset, managing director: Our business is to process other companies information. If anything of what we do leaked out, it could be extremely costly and damaging to our customers. Thats why we must make sure that none of the information we have falls into the wrong hands. Its not primarily hackers who threaten our information security, but rather what we talk about. Confidentiality, both internally and externally, shows that we are a company to be trusted.
Creating an information security system requires the attention of top management, because this work is so strongly linked to a companys policy and vision.
Rewarding competence
Gesab Engineering AB is involved in product development, construction and production techniques, in addition to training CAD designers. It has seven offices in Sweden, and others in England and Germany. Its customers include companies in the defence and automotive industries hence the importance of confidentiality. Gesab represents a type of company whose customers are constantly making demands of their management systems. In information security, Gesab has chosen to be ahead of those making the demands.
Erik Fogelberg, information security manager of Gesab Engineering AB: Our employees are made to feel responsible for the companys information security.
Says Erik Fogelberg, information security manager of Gesab, Contrary to what we often hear from other companies, we make our employees, not our customers, the centre of attention. We take care of our people through a creative, positive working environment. Training in information security is done in small groups and workshops to ensure that the participants feel they are responsible for our joint information security. At the end of the day, everything depends on our employees loyalty. Happily, very few of our employees leave the company.
Vigleik Bolneset, managing director of Gesab Engineering AB:
In Sweden, DNV is recognised as the most stringent certifying body. That is why we chose them.
Safeguarding information
Vigleik Bolneset considers that DNV sets the most stringent certification requirements. That is why we selected DNV. The companys information-security management is being certified to the BS 7799 standard. It is based on a risk analysis in which threats to and vulnerabilities of assets are assessed in relation to a companys business perspective. The analysis thereby identifies the companys vital information assets and creates a strategy for how to retain this, even if key employees should leave the company.
Says DNVs information security auditor Birger Berggren, Everyone talks about IT security, but thats only a small part of the whole. A risk analysis has to cover the entire company. In turn, it makes it possible to improve business.
Based on the findings of the risk analysis, a business continuity plan is made to safeguard operations in a number of areas, should unforeseen events take place. The company then must show that the routines, procedures and processes work.
DNVs marketing manager for BS 7799 in Sweden, Inger Nordin, explains, The standard demands continuous follow-up. After six months to a year, the company has to examine the risks again and check if they have been minimised in reality.
Our requirements are that we must be fully operational within five days following any emergency incident, comments Erik Fogelberg. We are working on integrating all our systems, including quality and environmental, in order to develop a fully comprehensive management system.
Marketing manager IT & Information Security Inger Nordin and auditor Birger Berggren, DNV Sweden, are responsible for Gesabs certification.
BS 7799 gives us a marketing advantage, because it gives us a stamp of seriousness in the business sector. We have fewer problems regarding accessibility to information because our data systems and computer systems function better and weve achieved better working methods. Weve also managed to cope with viruses and hackers.
Why certify your information security management system?
Such a system entails implementing an information security policy with the aim of managing business risk.
A BS 7799 certificate will:
" Demonstrate to a companys clients, partners and employees that it has a strong commitment to confidentiality.
" Provide evidence by a third party that security requirements are met.
" Drive the policy implementation process.
" Demonstrate due care, so helping reduce risk and avoid liability.