Information Security continues to be a great concern with all companies. The Computer Crime and Security Survey conducted by the Computer Security Institute in the USA in 2003 found that despite increased use of a variety of countermeasures 56% of organisations had suffered breaches of security in the previous year resulting in annual losses totalling over $200 million.

At Server World we understand the vital importance of protecting the value invested in the information assets upon which the company, its customers and other business partners depend. We also fully recognise our legal obligations under the 1998 Data Protection Act, and our social responsibilities for the safe keeping of the confidential information entrusted to our care. For these reasons we are committed to maintaining the highest possible levels of information security. This is reflected in the way we approach every aspect of the business and in our determination to progress towards achieving full compliance and certification to the internationally recognised ISO17799 and BS7799 information security standards.

ISO 17799 and BS 7799

Since its publication in September 2002, BS 7799-2:2002 (commonly referred to as BS 7799 Part 2) has rapidly become the most internationally recognised standard for information security management, with almost 900 organisations worldwide achieving accredited certification by September 2004. It uses a risk assessment based approach to the selection and implementation of the controls required to meet the specific information security needs of an organisation. Most of these controls are generally selected from those recommended in BS 7799 Part 1 which was adopted as ISO 17799 by the International Organization for Standardization in 2000, and is now also reproduced verbatim as BS 7799-1:2000.

The ISO 17799 code of practice for information security management includes recommendations for 127 different controls in 10 categories aimed at reducing risks to the confidentiality, integrity and availability of the subject information. These include:

	Security Policy
	Organizational Security
	Asset Classification and Control
	Personnel Security
	Physical and Environmental Security
	Communications and Operations Management
	Access Control
	Systems Development and Maintenance
	Business Continuity Management
	Compliance

Security Measures at Server World

Server World's Data Centre is fitted with shatter and impact proof windows, similar to those used by Scotland Yard and Government Buildings throughout the UK and Ireland, as a preventative against physical break in. Internal access is controlled by key and electronic log card systems with 24 hour monitored burglar alarms and fire detection in all areas. Zone access, requiring individual authorisation for each area, is used throughout the building. Electrical supply systems are backed by dual APC Symmetra UPS's which provide power to the network systems and servers. Atmospheric control is through three separate air conditioning systems giving redundancy against failure of a single system.

All external connections to the Server World networks are through firewalls configured to prevent unauthorised inbound and outbound traffic. The systems are highly flexible allowing configuration of dedicated bespoke firewall policies for each individual server or IP address if required. These can be based on source and destination IP addresses and ports, as well as transmission and application protocols. We recommend that only the minimum access necessary to meet the customers requirements be allowed, and the firewall policy used for each customer forms part of the Service Level Agreement (SLA).

Microsoft Windows 2003, 2000 and NT have extensive permissions and identification capabilities which we employ in line with each clients requirements. It is recommended that passwords be changed at least monthly, cannot be re-used within 12 months as new passwords, contain a minimum of 9 characters and are made up of alpha, numeric and extended characters. Permissions can be layered enabling full control over the areas of the server that can be viewed by each user. Anonymous users and default web sites are disabled as part of our standard configuration. Server World can also offer access to secure servers for sensitive data and help with applications for Secure Socket Layer (SSL) Certificates.

All work stations that connect to the Server World networks have software capable of detecting computer viruses and Trojan code installed and maintained with up to date virus definitions. Anti-Virus applications may also be purchased for individual servers and Server World recommends Sophos Anti-Virus. This package provides protection for the operating system and with an annual subscription offers online updates via the Internet to ensure that all the latest known viruses can be detected and removed. Licensing is on a per server basis.

Server World continually monitors releases from its software providers such as Microsoft. We recommend that all software patches and updates are implemented as soon as possible as this has proved to be effective in protecting systems from the latest Denial of Service and Worm attacks, and a Software Update Server is provided on the network for this purpose.

The data on each server is backed up regularly to an automated robotic tape library system in accordance with the customer's requirement. Any tapes from our backup system or our clients dedicated drives that are not in use are kept in a secure off-site storage facility which can only accessed by key personnel. Tapes are used on a four-week rotation cycle unless otherwise specified by the customer.

Server World has adopted a strict recruitment procedure for selecting and vetting the correct staff to support our services and is registered as a data controller under the Data Protection Act 1998.