Macquarie meets new global security standard

ISO 27001 replaces Aussie certification

Macquarie Telecom has become the first Australian telecommunications and hosting provider to be certified by SAI Global to ISO 27001 Information Security Management Systems (ISMS).

The three year certification is a new international standard designed to help global businesses secure their IT assets and infrastructure and replaces country specific standards for the local market.

It was developed in response to recent high profile credit card security breaches.

The most recent high profile case is the TJX Companies debacle where data on millions of customers had been exposed.

Payment card data involving transactions over an 18-month period between January 2003 and June 2004 had been compromised, as well as further transactions in 2005 and 2006.

An investigation has been launched to find out how intruders gained access to TJX's systems. More than 50 experts from IBM and General Dynamics have been hired by TJX to shore up security following the breach.

In response to the security disasters, governments and business are looking to regulatory compliance to put in place stricter controls.

Under the ISO 27001 standard, there is 135 controls which cover aspects of information security from physical access to network device control, password management, virus impact mitigation processes and managing security risks.

Macquarie Hosting managing director, Aidan Tudehope, said regulatory compliance has driven higher IT security standards and the need for security certifications.

"The Sarbanes-Oxley Act has had a significant impact on the financial and legal reporting requirements placed on global businesses," Tudehope said.

"Managing risk associated with the security, reliability and accuracy of a company's IT systems is vital to comply with the Act.

"For our customers, ISO 27001 provides a level of assurance that hosted databases, networks and operating systems meet best-practice standards for risk assessment, policy, training, audits, controls, information and communication."

In addition to a two-stage certification process, ISO 27001 requires six monthly external audits to ensure ongoing compliance, in which senior management at the certified body sign against the level of risk identified in the audit process.

Tudehope said the high level of management control is critical for its government and enterprise customers because it acts as an assurance that confidentiality, integrity and IT availability risks have been effectively managed.

ISO 27001 replaces country specific security standards British Standard BS 7799 and Australia and New Zealand standard AS/NZS 7799.

Macquarie Hosting has been accredited to standards BS 7799 and AS/NZS 7799.

New research shows that more than 70 percent of Fortune 1,000 companies are increasing their security budgets to implement new systems and processes to meet regulatory and audit compliance requirements.

Page Break

A majority of the compliance-related spending is on policy and process changes, followed by software purchases and encryption technologies, according to a survey of 147 IT managers at Fortune 1,000 companies by tech consultancy,TheInfoPro Inc. (TIP).

Bill Trussell, managing director of TIP's security sector, said it is a trend that cuts across industry and corresponds with growing concerns about the consequences stemming from data breaches.

One of the biggest drivers is the Payment Card Industry (PCI) data security standard, he said.

"It is rare to see such a large influencer in the information security marketplace," Trussell said.

A report released by Forrester Research earlier this year estimated most companies will spend between 7.5 percent and 9 percent of their IT budgets on security, regardless of their size, geography or industry.

According to Forrester, the uniformity in spending patterns arises from the growing maturity of information security practices and the solidification of security within IT operations.

The continuing shift from a purely strategic IT-centric security model to a more strategic business-focused one is also driving the need for more investments in processes and tools, Forrester noted.

- with Jaikumar Vijayan and Sandra Rossi