|
Juhani
Anttila
BUSINESS-INTEGRATED INFORMATION SECURITY
MANAGEMENT Abstract Information security in any enterprise is achieved effectively and efficiently through a systematic Information Security Management (ISM) that is in line with the company's business objectives. However, often information security practices have been implemented as distinct of business and by information security professionals. This is not any natural approach and has been regarded even annoying. As a solution to such a problem, the paper at hand puts forward the approach of integrating all necessary information security actions seamlessly with the business management and business processes and how to take into account the realities and requirements of the modern business environments. The ISM is particularly for a company's own business needs and targets. In this approach the company should of course take into account also the needs and expectations of its all stakeholders. It should have also effective communications with those external parties on the relationship-related topics including relevant information security issues. Analogically with the well known Quality Assurance (QA) practices one may use the concept Information Security Assurance (ISA) aimed to create confidence within the external parties. The ISA should be based on the company's internal ISM. Information security management is a fuzzy concept. Then it is important to apply business-management related methodology to evaluate its performance (including its strengths and weaknesses) and carry out continually appropriate improvement actions. A great variety of quality management and quality assurance methodology and tools, e.g. ISO 9000 standards, has achieved a very broad and recognized international acceptance, and they can also be made good use of in managing business-integrated information security. In fact, information security can be seen as a sub-item of the concept of quality. Information and information security, key aspects in the management of modern enterprises The significance of information security has been emphasized in all kinds of organizations in modern business environments and especially when using extensively information technology. Competitiveness and success of the companies is based on right business related knowledge on time. On the contrary, wrong or even manipulated information, missing information or knowledge may cause serious business risks. Continuous and efficient change of information is a necessity between all stakeholders (or interested parties), e.g. customers, employees, shareholders, suppliers, business partners, and the great public. Both the number and variety of the stakeholders has increased, and the communication between them has increased and intensified tremendously due to global telecom networks and services. Company-dedicated networks are tightly linked with the public networks. Very large part of the information considered is confidential at least to some stakeholders. E-business is today's reality and increasing opportunity for organizations in all sectors. E-business is not only a technological issue. Today Internet covers already the whole life. Internet provides a worldwide communication-infrastructure that is expanding very fast. The Net includes all the people, organizations, cultures, and communities, and it has changed all interaction environments and behaviors. E-business facilities do not apply only to explicit data or information of organizations but it dares to increasing communication between people using their implicit knowledge. Also information security professionalism should adapt itself to these new business realities, but e-business also creates quite new opportunities for both business management and information security. The necessity of integration, the harmfulness of separate management systems Information security in a company is the end result of numerous details and activities. These are broadly considered in information security literature (see e.g. references 4, 5 and 6). The management of all these impacting factors, so that the results of information security forward the aims of the company, is called Information Security Management (ISM). Information security management is integrally embedded with Business Management (BM) actions. In order to be able to utilize all the impacting factors needed for the realization of information security, a comprehensive approach is required. If this is not possible, the implementation will contain loopholes and the overall situation is typically contingent on its weakest links. Another danger is partial optimization, in which certain factors may be overly emphasized without them being able to bring about the desired results effects to the wholeness. All of these, however, always entail additional unnecessary costs. Information security management is fully analogous to the management
of many other expertise areas important to a company. These include,
for example, All these various areas have professionally very differently established practices based on their distinctness and historical development. E.g., there has been during the last couple of decades in the area of financial management a development of widely adopted de facto principles and practices, such as budgeting and accounting practices. The systematicity (i.e. systematic approach) of the quality management including quality assurance, has attained a very well established and internationally standardized position through the widely known and used ISO 9000 standards. These standardized quality management principles have impact on all the business areas of organizations, including information management and information security. The experiences gained through quality management also provide ample opportunities to learn from and utilize in the area of information security. Relevant issues with respect to the success of a particular area
of management, such as information security management include:
Correspondingly, if distinct management approaches upheld by different organizational (typically support) units and experts should originate for different management responsibilities, this will sooner or later generally entail negative effects to the business as a whole. In this context it is common that one hears talk about such-and-such a system, for example of an information security system or quality management system. In order to avoid negative effects, it would be better to talk rather about the systematicity of information security instead of an information security system. In this case systematicity (or systematic approach) would refer to including the "flavor" of information security in all actual business management practices. If distinct management areas are allowed to become overly emphasized
due to their independence and distinctness, a common consequence of
this is also conflicts occurring between these different areas (see
figure 2), for instance in connection with prioritizing and resourcing
various initiatives and projects. Such conflicts relate especially
to two management levels of a company:
In fact, these all issues are very strongly related to business management decisions and actions (a strategic viewpoint), and business process management practices (an operational viewpoint). Realizing the integration of information security management It is impossible to define clearly and unequivocally where the border-line of ISM to the business management (BM) goes (see figure 1). As a matter of fact, ISM stretches across the entire BM area of operations, due to the fact that all decisions and measures (whether they are in fact undertaken or not) made by the leadership have either direct or indirect, positive or negative impact also on the realization of ISM. In practice, the integration of information security issues with
business management approaches takes place at two levels: The most important tasks of leadership on the both levels are planning, control, and (continual step-by-step) business improvement, which should all be realized in a systematic way and in accordance with a company's leadership practices. Integration of information security will not take place effectively and efficiently unless information security issues have been included into these normal leadership tasks. In integrating information security practices, it is extremely important
to manage appropriately the business processes of the company. This
is because, in practice (operationally), information security originates
from processes, that means from process-related activities and information
flows between these activities (see figure 3). Thus, information security
is affected directly in real time through process arrangements, tools,
and people in practical work.
Real responsibility even relating to the management of specialized issues, including information security, lies always with business leaders, at the strategic level with the general manager and business area managers, and at the operational level with process owners. This responsibility cannot be delegated to experts or externalized to external inspectors or consultants. The task of experts such as information security directors or managers is to provide expert support, e.g. the facilitation of particular approaches and improvement topics through the utilization of professional tools. It is essential with respect to the efficient realization and continual
improvement of all issues and means concerning information security
that within a company, In fact, continual improvement means a learning process covering
the whole organization. It is possible and really a big challenge
in every company but it requires a comprehensive approach including: Assuring information security in order to build confidence in external parties The aim of ISM is to internally forward the business needs of a company. In addition to such internal motives, one also needs measures directed at parties external to the company, such as customers or regulatory authorities, the purpose of which is to increase confidence towards the company's information security abilities and solutions. All these measures can be referred to as Information Security Assurance (ISA) analogously to the well known standardized Quality Assurance (QA) principles and practices. In practical company-level realizations both ISM and ISA should be consistently paired approaches. This can be realized effectively in practice only if the same approaches at the basis of the ISM intended for the company's internal use are also the underpinning of ISA (see figures 1 and 4). Thus, the foundation of information security assurance consists of real procedures in business processes and it is realized through the way in which these are communicated to external parties. Information security assurance can be systematically realized with
the help of a concrete information security assurance plan.
Evaluation and continual improvement of information security management It is important to be aware of, i.e. evaluate, the real information
security situation of a company with respect to both ISM and ISA.
As a matter of fact, information security is a fuzzy concept (see
figure 5). This implies, that an overly simplified dichotonic situation
- implying that there either is or isn't information security in the
company is not a fruitful approach. Information security always has
to do with levels of development and differences in degree. This also
entails an essential feature of information security, which is that
it is always possible to continuously improve it. Moreover, it is
also always worth investing in it appropriately.
In information security assessments one can look at the entire business,
which means that it is a strategic assessment, or one can examine
particular business processes and their parts, in which case the evaluation
is more operational in nature. In both cases it is necessary that
the assessments focus on both real operations and the concrete results
reached through them. Through an assessment one can, and also should,
bring into view the company's real With the help of an appropriate assessment methodology one can also gain a quantitative assessment result (numerical scoring) to indicate the company's developmental status and maturity concerning ISM. It is also appropriate that the assessment creates recommendations and initiatives pertaining to the continual improvement of the situation. The assessments, and improvement measures based on these, include information on appropriate comparative references (own goals, competitors, and the best in other industries) and learning from existing best practices of other organizations, i.e. benchmarking. When assessing a company's business performance, strength in management
actions implies: Correspondingly strength in the results obtained by the management
actions imply: Fulfilling these strength-criteria completely denotes performance excellence. However, many companies are still on anecdotal or beginning levels (see figure 5). Assessments can be made by the first-party (the company itself), by a second party (customer), or a third party (organization independent from the first two parties). It is crucially important that the company's own leadership self-assesses alongside business management and commences improvement measures based on such assessment. One can also present a first, second, or third party certificate on the basis of an assessment (or an audit), indicating how certain assessment criteria are met. Third party certificates have often had an overly emphasized significance. There is ample evidence especially from the field of quality management, that one cannot in reality assure quality (or information security) on the basis of such certificates. Focusing on certificates has also easily had a decelerating or damaging effect on striving towards continual improvement in realizing performance excellence. Excellence of information security as an objective When operating in a competitive business situation, the only possible goal of a company is performance excellence, because only on this basis can long-term competitiveness be realized. The goal of superiority should also be focused on information security management ISM and information security assurance ISA. In this case it is not enough to merely comply with certain external standardized requirements. Comprehensive information security management with performance excellence as its goal calls for the systematic development of approaches as well as their effective and efficient implementation into practice and continuous assessment, and improvement measures at various levels of the organization. References 1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol2, edited by J H P Eloff and R von Solms, (Vienna, Budapest: IFIP
WG11.2 September 1998) [This text was presented as a paper at IPICS Winter School at the University of Oulu, Finland in March 2003]
|
|
|
|
|
|
