Nowadays, no business can expect to survive without an efficient, reliable IT system which is kept functioning with the help of dedicated professional support.
Systems security and integrity are something we have all come to rely on. Just consider the fact that many tenders for major commercial contracts are now submitted online. A system clock problem could lead to missing the deadline and, thereby, the chance to win a deal possibly worth millions of dollars. In other places — airports, hospitals and international banks, for instance — the repercussions of a security breach in IT systems have become even more complicated and could be far more worrying.
"Many people think of information security as only keeping data confidential. In a broader sense, though, we have what we call the CIA triangle, namely, confidentiality, integrity and availability of data security," says Chris Yau, products and services development manager in the systems and services certification department of SGS Hong Kong Limited. He explains that the company helps customers to maintain their IT systems in line with recognised international standards.
This not only enhances effectiveness and reliability, but can also promote a corporate image that demonstrates foresight and social responsibility. Furthermore, it helps to improve information security and alerts staff to the notion that quality service extends to having the highest professional standards in the use of systems and the handling of confidential data. By doing this, the involuntary disclosure of information and the risk of fraud can be minimised.
Mr Yau notes that new certification standards, including ISO 20000:2005 and ISO 27001:2005, were introduced last year. The former focuses on how services are managed using a "run IT as a business" approach. It requires companies to consider their system capacity, management practices, budgets, human resources, and software control and distribution. This has become especially important in an era when there is more IT outsourcing by all types of organisation from insurance companies to fast food outlets.
The ISO 20000 standard also helps in assessing routine procedures by directing attention to the effectiveness of back-up servers, reviews of system downtime and the steps in place for recovery.
In contrast, the ISO 27001:2005 Information Security Management Systems (ISMS) certification focuses on ways to implement, operate, review and improve systems security. It deals with aspects such as setting policies, business continuity management, asset management, communications and operations. Besides that, it provides guidelines relating to access control, compliance, and the acquisition, development and maintenance of information systems.
All of this is based on the understanding that data is a key asset for modern businesses. If not protected and properly managed, there can be an immediate and adverse impact.
Consequently, this has made business continuity planning (BCP) more important than ever. It addresses plans for resuming company operations after a partial or complete disruption of critical business functions. The basic aim of BCP is to minimise operational risk associated with poor information security controls.
"Some investment banks inside the World Trade Center buildings were able to recover all data and restore operations from their back-up centres in Philadelphia or Chicago just three hours after the 9/11 attack," says Mr Yau. Locally, if a bank's head office is on Hong Kong Island, the back-up centre would be set up in Kowloon. "There are two different electricity suppliers, so if there is a power loss, it should be possible to keep functioning on at least one side of the harbour," he adds.
However, to maintain the necessary standards and increase awareness, Mr Yau recommends that companies should train staff in all the main points of IT security by arranging external courses.
To obtain up-to-date ISO certification, existing systems must be reviewed to identify weaknesses and measured against standard requirements. This generally involves a series of internal audits, followed by a period to familiarise staff with any new standards and procedures.
Though not mandatory, many sizeable businesses now regard ISO certification as a "threshold" which their partners or suppliers must cross. "Such certification will become increasingly industry-specific," Mr Yau says.