We would like to thank the Committee for conducting this inquiry. The issues raised are very relevant.

  We are an organisation set up at the beginning of 2006 and represent Information Security Professionals in the UK and around the world; in addition to over 1,000 individual members, our membership includes leading companies such as Accenture, BT, BP, Camelot, CISCO, HBOS, HSBC, HP, ICI, KPMG, Vodafone, RBS, Unisys, and UBS.

  In preparing our submission we have consulted all of our membership and circulated our draft response to the membership for comments. We have also taken input from other organisations such as EURIM and the IET.

ABOUT THE IISP

  The IISP was created in 2006 to represent Information Security Professionals in the UK and around the world. The membership represents a wide range of expertise, from technical experts to leaders in the field, encompassing a wealth of professional experience and knowledge, independent of commercial interests.

  The membership in addition to professionals also includes public and private organisations such as Accenture, BT, BP, Camelot, CISCO, HBOS, HSBC, HP, ICI, KPMG, Vodafone, RBS, Unisys, and UBS.

  The following evidence has been prepared on behalf of the Institution's Trustees, after inviting input from its membership.

ABSTRACT

  It is clear that products and services need to have adequate levels of protection embedded. Moreover appropriate and easy ways for consumers to protect themselves need to be created and shared.

  The challenges around Internet security are exacerbated by the rapid evolution of both technology and associated threats. This combined with their general lack of understanding makes consumers a natural target.

  The key elements in securing the Internet are to enhance both the level of professionalism in developing secure products and services, and also to recognise those who can provide competent advice to consumer and business alike.

DEFINING THE PROBLEM

  The number of computing devices and essential services becoming "Internet enabled" is rapidly increasing, and consumers are keen to take advantage of the convenience and lifestyle benefits of a rich set of services and ubiquitous connectivity.

  However the range and sophistication of emerging threats is becoming too complicated for consumers to understand. In recent years we have seen a rapid increase in threats and the situation is likely to worsen.

  It is clear that products and services need to have adequate levels of protection embedded. Moreover appropriate and easy ways for consumers to protect themselves need to be created and shared.

  Disclosure, and possible abuse, of personal data held on the myriad databases throughout the world remains a threat to consumers and citizens over which they have no real control. They have to assume that organisations to whom they have provided the data in order to take advantage of the services will maintain effective security over this data.

  Consumers have for many months now seen a number of companies offering this information for commercial gain. Equally consumers have struggled to understand who to turn to for advice and who is competent to give it.

  The key challenges therefore in securing the Internet, are to enhance the level of professionalism in developing secure products and services, and also to recognise those who can provide competent advice to consumers and business alike.

TACKLING THE PROBLEM

  It is likely that some of these threats will disappear in the next few years as new technologies are developed and introduced. We expect an evolving market to develop where consumers are offered more security services embedded into a more resilient intelligent infrastructure. The profession hopes that these changes will make it easier for citizens to take effective measures to protect their own devices.

  However to achieve this and for consumers to feel safe in their use of the Internet they will need to have the confidence that those who are designing, implementing and advising on security are competent professionals.

  Increasingly products and services as well as advice and guidance are coming from offshore environments, eg Eastern Europe, India and China. It is therefore encouraging that overseas individuals are increasingly approaching the IISP seeking membership.

  It is important to promote an environment where products and services are designed by recognised competent professionals and where advice and guidance can come from those same recognised competent professionals. In addition to this education of consumers is essential.

  The membership of the IISP has extensive knowledge of the threats and dangers facing the consumer, and although this knowledge is not presently utilised for the benefit of the public at large, many of our membership are enthusiastic about finding ways to help.

  Developing partnerships with government efforts such as Get Safe Online where that knowledge is essential to educate people effectively will be of significant benefit to society.

GOVERNANCE AND REGULATION

  Self regulation is preferred to imposing regulation, and the challenge of regulating in this area is the international dimension of the issues. New vulnerabilities are being identified and exploited, and new ways of combating fraud and other crimes are being performed electronically.

  Legislation does need to be maintained to retain a deterrent, however crime prevention/protection is often the best defence. To achieve this, one of the areas that the Government has explored is the issue of licensing information security professionals.

  In doing so Government has recognised the importance of public protection and the need to have competent professionals designing and delivering information security.

  This need is reflected in the requirement for competent professionals working in the hardware, software and services industry as well as those working in Government, the police, and the education sector.

  The Government and large private sector organisations' effort to promote the competency of those working in information security through membership of the IISP is a key step, and one which has been recognised by leading organisations in the public and private sector around the globe.

  With this development consumers and citizens alike will have the confidence that those working within the field are able to offer reliable advice and guidance to enable a safer Internet.

20 October 2006