IT security firms face prevention or regulation

IT security firms will need to demonstrate they can prevent criminals infiltrating their businesses if they want to avoid government regulation, the Department of Trade and Industry (DTI) has warned.

The clarification comes after Home Office Minister Charles Clarke last week refused to count IT security staff among those professions exempted from the Private Security Industry (PSI) Bill.

At the same time, however, he claimed the UK government had no plans to introduce regulation before the DTI had consulted with the information security industry.

But a DTI spokesman said the department was "still drawing up the timetable" for talks, and officials would take soundings from a combination of trade associations and individual firms in the sector.

The spokesman added: "What has been proposed is that the DTI discuss with the sector how at present it ensures that it is not exposed to infiltration by criminals. We do not believe there is a problem, but the industry will undoubtedly welcome the opportunity to look afresh at this issue and share and promote best practice."

Neil Barrett, a security consultant with Information Risk Management, said: "The industry does need regulating, and if we're going to be regulated, it should be self regulation. To do that, we need a specific industry association."

Wayne Sowery, technical director with MIS-CDS, also backed the call for a new association. "I'd like to see a body set up, which conducted examinations for professional competency that clients could trust," he said.

The government currently offers two courses, CLASS and CHECK, to certify industry workers, although they are not well-regarded. Alternatives include several US based schemes such as the Certified Information Systems Security Practioneer exam run by the International Information Systems Security Certificates Consortium (ISC²).

IT associations with a broader remit, such as the British Computer Society (BCS), the Professional Contractors Group (PCG), the Computer Services & Software Association (CSSA) or the European Information Society Group (EURIM), have all said they would be prepared to discuss any plans for regulation.