Universities are coming under pressure to adopt formal information security policies, but the British standard that is rapidly becoming a global benchmark is poorly suited to academic environments, a report has said.
The Committee on Authentication and Security, part of the Joint Information Systems Committee, said higher and further education institutions that participated in a pilot project felt that the BS7799 standard,recommended by the Department of Trade and Industry and the basis for an international standard, could not be fully adopted and a "considerable amount of extra work" would be needed to get external accreditation.
As a result, Jcas does not recommend that universities and colleges should necessarily use the standard for their security planning framework.
According to the report, BS7799 can be difficult to apply rigidly in institutions where the management style is usually focused on fostering a collegiate culture.
A number of options are suggested, with Alan Robiette, Jcas director, favouring the German federal government manual.
"It is far more important that all colleges and universities should have some well-defined route map for improving and maintaining information security than that the whole sector should adhere to any one standard," the report concludes.