This evolutionary process makes security even more important. It is becoming possible to access a wide variety of information from a single terminal. Furthermore, a security flaw or failure in one system may allow unauthorised access or misuse of other systems.
BT possesses valuable information about its customers and their commercial operations which it is our responsibility to safeguard. Coupled with this should be an awareness of the possibility of computer crime by people inside and outside BT.
While security failures are, like any other quality failure, bad business practice, the repercussions may be more serious.
There are many motivators for good electronic security. BT is obliged under the terms of its current licence to observe a Code of Practice on disclosure of customer information. Disclosure of information could also provide likely movements in the price of BT shares or those of our suppliers. It could be used to embarrass the business by disclosure of commercial negotiations. The business could also suffer through corruption or loss of data. There could also be personal legal liability under the terms of the Data Protection Act in the event of security failure. All these possibilities make the security of BT computer operations increasingly important.
Good security does not have to be expensive. Often simple, low-cost measures, combined with a positive attitude to security, can achieve considerable reduction in the vulnerability of BT systems.
Although this manual is called the Computer Secunty Manual, it encompasses all electronic systems that are broadly computer-based. It applies equally, for example, to digital switching systems and building access control systems, as well as to the mainframe and personal computers for which it has customarily been used.
BT is now operating in a global environment and its activities cover most parts of the world. Many of its non-core activities and overseas operations are carried out through subsidiary companies. All people working in these wholly-owned subsidiaries are also "BT people". "BT" refers to the parent company and all its wholly owned subsidiaries. Adoption of the CSM in partly-owned subsidiaries will be a matter negotiated between the Director of Security and Investigation and the senior management of each part-owned subsidiary.
The purpose of the Computer Secunty Manual is to enable BT people to recognise possible threats to BT s systems, and to bring together the current guidance on e!ectronic security principles and practices which may be used to minimise the risk.
The Computer Security Manual is primarily intended for those who specify security requirements in BTs systems and those who implement them, it is also essential reading for users of those systems so that they may understand the rationale behind the protective measures that may be imposed upon them. While it is recognised that the threats to BT's systems are constantly changing, the guidance given is the best available at the time of issue. It should be recognised however, that guidance will need to be revised when existing threats change or new threats appear.
Although some of the policies on electronic systems security affecting computers have changed since the last issue, the previous structure has been retained where possible, so as to cause minimum inconvenience to users of the manual.
This version of the Computer Security Manual contains mandatory requirements, called CSM Policies, which should be followed in the design, implementation and operation of systems.
The CSM Policies describe various mechanisms that can be employed to protect the security of an electronic system, and are derived from threats (that have been found) and countermeasures that can be used.
The main text provides guidance and background to the CSM Policy statements.
The chapters have been ordered to reflect the larger view of systems (networked systems and the supporting network infrastructure), and then narrowing that view to large computer systems, personal computers, and so on.
The page number found at the bottom of each page is in the format chapter-page in chapter and facilitates the easy replacement of entire chapters without upsetting the numbering of pages in subsequent chapters.
The policy and guidance contained in e Computer Security Manual is prepared and issued after extensive discussion with experts in electronic security throughout the business. The Electronic Security Unit welcomes feedback from users on the adequacy of the guidance given, so that future issues may be improved.
The CSM is the baseline document for the protection of BT's electronic assets on BT premises, in transit, at employees' homes or on contractors' premises. Where a supplier or contractor has obligations to protect BT assets, a copy of the CSM may be loaned to supply the necessary guidance provided:
We would like to thank the help received by all parts of the BT Group in the production of this version of the Manual. In particular, Group Security, Group Information Services, British Telecom International, British Telecom Security Consultancy, Business Communications, Development and Procurement, Internal Audit, and to others for their feedback to this, and previous issues of the Manual.