In today's global markets, business operations are mostly enabled by the use of technology. All across the board businesses make deals, track client accounts and inventory company assets all by using information technology (IT). Information technology is said to be the vehicle that stores and transports information, it's an organisations most valuable resource from one department to another. In any case whereby the vehicle breaks down even if it's just for a little while? Business deals tend to fall through, data's are lost and company assets become even more vulnerable to threats from inside the organisation and even outside of the organisation.
In the last 20years technology has permeated every part of the business environment. Businesses now move when employees move, from city to city. Since businesses have become more fluid, the initial concept of computer security has now been changed to the concept of Information security. This is simply because Information security covers a wide range of issues, from the protection of data to the protection of human resources. Information security is no longer the task of small and dedicated group of individuals in the organisation rather it is the responsibility of employees and mostly management authorities.
As businesses increasingly recognise the importance of Information security, they are beginning to create new positions to solve the new perceived problems. Organisations must realise that information security funding and planning decisions involves three distinct groups of decision makers and not just technical managers. The three group of decision makers include:
- Information security managers and professionals
- Information technology managers
- Non-technical business managers and professionals
These three groups work hand in hand on an overall plan to protect the organisations information assets.
The information security community protects the company's information assets from the various threats that the company faces from time to time.
The information technology community gives support to the business objectives of the company by supplying and assisting all information technology that the company needs to succeed.
The non-technical general business community manages and communicates company policy, mission statement and objectives. They also allocate resources to the other groups.
In working together these three groups make collective decisions on how best the secure the organisation from various security threats which may well be from outside or inside the organisation.
What is security? In understanding the technical aspects of information security, it is required the definitions of some information technology terms and concepts are understood. Michael and Herbert (2004) defined security as the quality or state of being secure to be free from danger. To be secure is to be protected from adversaries or other hazards. Security is most times achieved by the means of several strategies usually undertaken simultaneously or used in combination with another. These strategies have different have different goals they focus on but in the long run they share many common elements in achieving a common goal which is mainly to secure. From a management view all these strategies must be well planned, staffed, organised, directed and controlled so that they can all achieve the common goal of protection.
Examples of the specialised areas of security include:
Physical security: This mainly deals with the strategies to protect individuals, physical assets and the work place from different kinds of threats which may be in the example of fire, natural disaster, and unauthorised access.
Personal security: This is in relation with the physical security it simply has to do with the protection of individuals within the organisation.
Operations security: This secures the organisations day to day activities without interruption or compromise.
Communications security: Encompasses the protection of the company's communications media, technology and content, and its ability to use these tools to achieve the organisations objective.
Network security: Protection of the organisations data network is very important. It is the area that is vulnerable to threats mainly. The protection of the various networking devices, connections and contents is very vital to the organisations data communication function.
All these areas contribute to the Information security program of the organisation as a whole.
Security is Inconvenient
Security, by its nature, is inconvenient especially in SMEs ant the more elaborate and technical the security mechanism, the more inconvenient the whole security process become. Employees have so much work to do, they want to get their jobs done right away. Most security mechanisms, from passwords to various kinds of authentication are seen by the employees as obstacles to their productivity. One of the common trends of information security is to add whole disk encryption to laptops or desktops. This is highly recommended in information security process because it adds a second login step before any computer user can actually have access in order to perform various tasks using the computer. John (2009) went on to explain that security implementations are based on a sliding scale, one end of the scale is total security and total inconvenience, while the other is total insecurity and complete ease of use. If an organisation wants to implement any security mechanism it is advised that the security implementation scale be put to use to determine where the level of security and ease of use match the acceptable level of risk for the organisation.
In the ever changing world of global data communications, inexpensive internet connections, and the fast paced software development, information security is becoming more important. Security is said to be a basic requirement in the world we live in today as long as you want to keep your information safe because the global computing is inherently insecure, as explained earlier it can be inconvenient but necessary. As data is being transmitted from one point to another, it passes through several points along the way whereby giving other people the opportunity to eaves drop or intercept the information being transmitted and even alter it. Nikos (2007)
By definition, information security exists to protect an organization's valuable information resources. An effective information security program preserves the organisations information assets and helps to meet business objectives. Thomas (2002), made it clear that Information Security Policies, Procedures, and Standards, guidelines effective Information Security Management and provides tools which the organisation need to select, develop, and apply a security program that will be seen not as a nuisance but as a means to meeting your organization's goals.
Key concepts of Information Security
In understanding the management of information security better, it is necessary to be familiar with the key characteristics of information that makes it valuable to SMEs. The first three characteristics are mentioned in the C.I.A triangle model (confidentiality, integrity, and availability).
Confidentiality of information ensures that only individuals that have been authorised may have access to certain information. When unauthorised persons or system can access information, confidentiality is breached. In order to protect the confidentiality of information, a number of measures are used which include:
- Information classification
- Secure document storage
- Application of general security policies
- Training of information custodians and end users
In organisations, confidentiality of information is mostly important for personal information about employees and customers. Individuals expect that it is the organisations responsibility to closely guard such information. Whether the organisation is a federal agency, commercial enterprise, or a non profit charity organisation, problems occur when confidential information is disclosed. Disclosure of information can occur in various ways be it deliberately or by mistake. For example, confidential information could be mistakenly emailed a wrong recipient be it inside or outside of the organisation. Or perhaps an employee discards of a document containing confidential information without destroying it.
Integrity simply means the quality or state of being whole, complete and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted. Michael and Herbert (2004)
It has been known that many computer viruses and worms are designed to corrupt data. That is why the key method for detecting an integrity failure of a file system from an attack of a worm or virus is simply by checking the size of the file system in question or in more advanced operating systems or specific use of software, the file's hash value.
Availability is the characteristic of information which allows user access to information without obstruction or interference. A user in this case may be either a person or another computer system. The availability in this case does not imply that the information is accessible to every user but accessible to only authorised users.
Privacy does not sole focus on freedom from observation, but simply means that information will be used only in ways known to the individual who is providing it. When organisations collect, use, and store data, this information is only to be used for the purpose stated to the owner of the data at the time of collection. As in the case of Alphavita, it is necessary that all clients information that are collected must not be swapped or sold to other entities, in any case whereby this act has to be carried on the consent of the information owner must be sort.
Identification is the initial step in gaining access to a secured material, and also serves as the platform or foundation for subsequent authentication or authorisation. We say an information system possesses the characteristic of Identification when the system is able to recognise individual users. Identification and authentication are very essential in establishing the level of access that an individual is granted in an organisation because it plays a major in information security. In most cases identification is typically performed by means of user name or any other form of identification.
Authentication occurs when a control provides proof that a user possesses the identity that he or she claims to have.
Authorisation is like the 3rd stage after a user has been identified and authenticated. Authorisation provides assurance that a user has been specifically and explicitly authorised to proceed to access, update, or delete the contents of an information asset. An example of this is a database authorisation scheme to verify that the user of an application is authorised for specific functions such as read, write, create, and delete.
Accountability exists when a control provides assurance that every activity undertaken can be traced down to a named person or automated process. An audit log is a very good example of accountability because it tracks user activity on an information system.
Another aspect of security solution concepts and principles is the element of protection mechanisms. These are common characteristics of security controls. Not all security controls must have them, but many controls offer their protection for confidentiality, integrity, and availability through the use of these mechanisms. These mechanisms include using multiple layers or levels of access, employing abstraction, hiding data, and using encryption.
Layering, also known as defence in depth, is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. When security solutions are designed in layers, most threats are eliminated, mitigated, or thwarted. Using layers in a series rather than in parallel is important. Performing security restrictions in a series means to perform one after the other in a linear fashion. Only through a series configuration will each attack be scanned, evaluated, or mitigated by every security control. A single failure of a security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow. Parallel systems are useful in distributed computing applications, but parallelism is not often a useful concept in the realm of security.
Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Thus, the concept of abstraction is used when classifying objects or assigning roles to subjects. The concept of abstraction also includes the definition of object and subject types or of objects themselves (that is, a data structure used to define a template for a class of entities). Abstraction is used to define what types of data an object can contain, what types of functions can be performed on or by that object, and what capabilities that object has. Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function.
Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. Keeping a database from being accessed by unauthorized visitors is a form of data hiding, as is restricting a subject at a lower classification level from accessing data at a higher classification level. Preventing an application from accessing hardware directly is also a form of data hiding. Data hiding is often a key element in security controls as well as in programming.
Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. Encryption can take many forms and be applied to every type of electronic communication, including text, audio, and video files, as well as applications themselves. Encryption is an important element in security controls, especially in regard to the transmission of data between systems. There are various strengths of encryption, each of which is designed and/or appropriate for a specific use or purpose.
Why is information security important?
In today's high technology environment, organisations are becoming more and more dependent on information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control. Turnbull (2003)
It is important to be worried about information security because a large percentage of the business value is concentrated in the value of its information. Grant (1998) made it clear that information is the basis of competitive advantage. And in sectors that are not for profit making, with the increase in public awareness of identity theft and the power of information, it is said to be the area of an organisations operations that most needs control Turnbull (2003). It is impossible for organisations to function without any form of information. Therefore valuing and protecting information is very important for modern organisation.
If information were easy to value and protect, it would be easy for one to buy off the shelf information security solutions. There are three characteristics of information security that make this impossible.
- The collection of influences to which each organisation is exposed varies with the organisation. The information technology that it uses, its employees, the area of business that the organisation specialises in (which in this case the organisation is management and information technology consulting organisation), and its physical location. All this affect the way the information security of the organisation has to be managed
- Information security affects every structural and behavioural aspect of an organisation: A little hole in the security fence can permit information to be stolen from unauthorised persons. So also a computer infected with virus or worm being connected to the network can affect other computers on the network and destroy vital information.
- Individuals such as managing directors, malicious hackers, customers surfing the internet and even the information security officer will have different comments to make on the information security of the organisation.
Thus making information security and its management narrowed down to various organisational contexts.
Security is not about Hardware and software
Explained by Vacca (2009) most organisations believe that if they buy enough equipment they can create a secure infrastructure. Firewalls, intrusion detection systems, antivirus programs, and authentication products are just some of the tools available to assist in protecting a network and its data. It is imperative to be aware that no product or combination of products is enough to secure an organisation.
Security is known to be a process and there is no equipment or tool that that replace the process. All security products are just as secure as the individuals who configure and maintain them. Purchasing and implementation of security products is only a fraction of the whole percentage of the security budget. Employees that are task with the maintenance of the security infrastructure must be given enough time, training and equipments to wholly support the security infrastructure. Unfortunately in most organisations security activities take a back seat to support activities. These highly skilled professionals are most times task with help desk projects such as resetting forgotten passwords, fixing jammed printers, and setting up new employee workstations.
Computer users are Unsophisticated
Vacca (2009) Most computers users have the believe that because they are skilled at generating spreadsheets, word processing documents and presentation they know so much about computers. The people that are known as power users have moved beyond knowing how to use applications, but many still don't understand even the basic security concepts. So called users that tend to know all about using a computer visit web sites on how to install basic software's without having the knowledge that the "bad guys" people who want to intercept or steal information from computer systems have identified that the average computer user knows little or nothing about computer security. As organisations began to invest more money in perimeter defences, these attackers looked for another part to follow which is through the means of using end users to get the information they need. They send malware as attachments to email, asking recipients to open these attachments. Despite the fact that they have been told not to open any attachment from unknown sources they still go ahead and open it because they don't know much about security causing havoc and wreaking their networks. More recently, phishing scams have been very effective in convincing users to produce their bank details and credit card information. Why would an attacker try to struggle to penetrate the network when users are more than willing to give the keys to bank accounts? Addressing the threat that users bring to the organisation is a significant part of any security program.
What is management?
In order to make information security process more effective, it is important to understand certain core principles of management. Unfortunately in management, it is difficult to find any standard definitions for many commonly used terms, yet a common vocabulary and common understanding are essential for successful communication. In 1980, the president of American Management Association (AMA) used this definition of management: Management is getting things done through other people. While a current definition defines management to be working with and through other people to accomplish the objectives of both the organisation and its members. Montana and Charnov (2000)
A manager is someone who works with and through other people by coordinating and supervising their work activities in other to accomplish organisational goals. A manager has various roles to play in an organisation some of which include the following:
- Informational role: collecting, processing and using information that can affect the completion of the objective of the organisation.
- Interpersonal role: interacting with superiors, subordinates, external stakeholders and other necessary groups that influence or are influenced by the completion of the task.
- Decisional role: making selections from various approaches and resolving conflicts, dilemmas or challenges.
Management sees security as a drain on the bottom line.
For most organisations especially some SMEs, the cost of creating a strong security posture is seen as a necessary evil just like purchasing insurance. Most organisations don't want to spend money on security, but the risks of not making the purchase outweigh the costs. Due to this type of challenge it is extremely challenging to create a secure organisation. The reason being that request for security tools are most times supported by documents providing the average cost of a security incident instead of showing more concrete benefits of a strong security posture. The problem is most times aggravated by the fact that IT professionals speak a different language to that of management. IT professionals are the ones that understand more about security issues, why it is necessary and why it must be implemented by the organisation. But when it comes to management they are more focused on revenue. Concepts such as profitability, asset depreciation, return on investment, realisation, and the total cost of ownership is what management is interested in. all of this concepts meaning almost nothing to an IT professional. At the same time realistically speaking it will be helpful for the organisation if management will take steps to learn more fundamental issues on information technology. It is also an advantage if IT professionals take the initiative and learn some fundamental business concept. Learning this concept is beneficial to the organisation because technical infrastructure can be implemented in a cost effective manner, and they are beneficial from a career development perspective for IT professionals.
Change control/management as explained by Stewart, Tittel, and Chapple (2008) is another important aspect of security management is the control or management of change. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. This usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. The records of changes to an environment are then used to identify agents of change, whether those agents are objects, subjects, programs, communication pathways, or even the network itself. The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. Change management can be implemented on any system despite the level of security. It is a requirement for systems complying with the Information Technology Security Evaluation and Criteria (ITSEC) classifications of B2, B3, and A1. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or affected diminishments. Although an important goal of change management is to prevent unwanted reductions in security, its primary purpose is to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management.
Change management should be used to oversee alterations to every aspect of a system, including hardware configuration and OS and application software. Change management should be included in design, development, testing, evaluation, implementation, distribution, evolution, growth, ongoing operation, and modification. It requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component, from hardware to software and from configuration settings to security features. The change control process of configuration or change management has several goals or requirements:
- Implement changes in a monitored and orderly manner. Changes are always controlled.
- A formalized testing process is included to verify that a change produces expected results.
- All changes can be reversed.
- Users are informed of changes before they occur to prevent loss of productivity.
- The effects of changes are systematically analyzed.
- The negative impact of changes on capabilities, functionality, and performance is minimized.
Top Management Support: The Necessary but Insufficient Condition
Top management support is not an isolated information security issue nor is gaining support from senior management an end in itself. A number of questions come to mind when thinking about top management support, mainly, what specifically should top management focus on to improve organizational security effectiveness? To answer this question, the list of top issues as well as the comments from the study participants is reviewed.
Top Management Support
Top management support refers to the degree that senior management understands the importance of the security function and the extent that management is perceived to support security goals and priorities. By virtue of their position, top management can significantly influence resource allocation and act as a champion of change in creating an organizational environment conducive to security goals. Support from top management has been recognized for at least four decades as necessary for effective computer security management. For example, Joseph Wasserman discussed the importance of executive support in a 1969 Harvard Business Review article stating, "Computer security thus involves a review of every possible source of control breakdown. One factor that has made the job more difficult is lack of awareness by many executives of new control concepts required for computer systems." Although recognized as early as the 1960s as being critical, it is still difficult to get many executives to understand information security concepts. Four specific areas that are especially appropriate for senior management to focus on in support of their security programs are now addressed.
Training is a mechanism of organizational influence that serves to indoctrinate members to internalize important knowledge and skills so that workers make decisions consistent with organizational objectives. The goal of a security training and awareness program is to heighten the importance of information security as well as to make workers aware of the possible negative consequences of a security breach o failure. Awareness alerts employees to the issues of IT security and prepares them to receive the basic concepts of information security through a formal training program. Security awareness helps reinforce important security practices through initial as well as cyclical and ongoing training events. Consequently, training and awareness programs can also positively influence the culture of an organization so that workers have a favorable mindset about security practices in general. This is critical because many security incidents are the result of employees' lack of awareness of cyber threats as well as the organizational policies and procedures aimed to minimize such threats. The study participants emphasized the criticality of security training by ranking user awareness training and education as the second most critical of 25 issues (see Exhibit 5.1). One participant stated, "Training and end user awareness allows for dissemination of information. About best practices, methods for doing things, as well as raising awareness among the end user population about potential threats." Another participant said, "Awareness training will do more for security effectiveness than any new firewall or instruction protection system." Based on the study participants' suggestions and comments, four key actions for management in support of training goals are offered. First, if one does not exist, management must champion a robust organizational security training program and support it with adequate resources. Second, management can provide leadership by example through attendance and completion of all one-time and cyclical training events as required by the program. Third, management should comply with organizational security policies and practice good security principles in their daily activities. Fourth, management can talk about the importance of security both formally and informally in the organization. By doing these things, management will be perceived by employees as supportive of not only security training but also the overall the security program.
Organizational culture is the set of beliefs, values, understandings, and norms shared by members of an organization. Culture is the unseen and directly unobservable influence behind the organizational activities that can be seen and observed. Some academics argue that the only thing of real importance that leaders can do is to create and manage a positive organizational culture. The security culture of an organization can be viewed as the shared beliefs and attitudes workers have toward security goals and practices. If most employees tend to resist and circumvent policies, for example, the security culture is poor. However, if most workers embrace security policies and view them as an integral part of their job, then the security culture is constructive. Culture can be influenced by the organization's training and awareness program. A strong training program will help build a culture favourable to security-minded thinking among employees. The study participants ranked organizational culture as the seventh most critical of the 25 issues. One study participant articulated the overall importance of culture by stating, "Without a corporate culture solidly based on security, all the policies and procedures on the planet will not be effective at maintaining (security)." Another said, "The executive drives the company culture and the resources allocated. This is the primary factor, followed by the technical expertise of the people implementing security technologies." Management can help build either a security friendly or security resistant culture through its example. If management practices good security, employees will follow the lead. If managers practice poor security, employees will tend to do the same.
A policy is a general rule that has been laid down in an organization to limit the discretion of workers with top management typically promulgating the more important policies. In regards to security, policy defines an organization's high-level security philosophy and is the precondition to establishing effective security deterrents. Deterrents are important because they can ward off potential abusive acts by employees primarily through the fear of sanctions and unpleasant consequences. Security policies should be relevant and support the organization's business goals and objectives. One way to maintain relevant security policies is to establish a regular policy review process. Once established, the content of policy should be periodically reviewed to ensure it reflects current legal mandates (e.g., Sarbanes-Oxley Act of 2002), professional standards (e.g., ISO/IEC 17799 2005), and threats (e.g., risks associated with small storage devices).
Study participants ranked policy-related issues as the sixth most critical of the 25 issues. One participant stressed the value of conducting a risk assessment prior to developing and maintaining policy, "Part of consensus building is defining what a policy will cover that is actually pertinent to the organization as opposed to implementing security for security's sake. Just because it may be a best practice and good security to implement certain controls does not mean it is meaningful to a given organization. Consequently, risk analysis and vulnerability assessment must precede policy development." Another said, "Buy-in must be secured both from upper-management and the employees to ensure that policies are relevant, enforced, and properly updated with an eye on the needs of the organization as a whole." Many participants discussed the importance of regular (e.g., at least annual) review and updates of approved policies in order to maintain their relevance to current laws, professional standards, business objectives, and security threats. To encourage the relevance of security policies, top management must insist that approved policies are regularly reviewed to ensure continuous support of the needs of the business.
Once management approves a set of relevant policies, they should be enforced. The phrase to enforce means to compel observance of or obedience for a policy. One way of enforcing policies is to administer monetary penalties to employees who violate policy. Management should consider dismissing employees who repeatedly violate policy. Yet, managers have a key role to play in designing monitoring and enforcement systems that are effective yet not viewed as too extreme or invasive by employees. In other words, an enforcement system should reach a balance between being viewed as too lenient or too onerous by the employees. If this balance is reached, employees not only tolerate the monitoring system, but they also understand and approve of it. Although only a few study participants commented on this specific aspect of policy enforcement, based on reading all of the participant responses from the study, results suggest that many organizations tend to err on being too lenient rather than too onerous in their monitoring and policy enforcement systems. One study participant discussed the role of management in this area by stating, "Executive management must take an active role in the. Enforcement of all corporate policies. Without this support from the organization's leadership, any policies that do get distributed will not be totally effective." Another participant summarized management's responsibilities with, "Management must not only communicate the 'contents' of the policy, but also the need for it. Management should reinforce the need and importance with consistent enforcement as well as a clearly-defined process for updates and reviews." Fortunately, automated tools are available to help monitor and log the cyber activities of employees and can facilitate the enforcement process. If an employee is caught violating a security policy, management must ensure that appropriate sanctions and penalties are applied. Another method of enforcement involves including security compliance metrics in an employee's annual performance evaluation. If this evaluation factors into the organization's promotion decision process, employees are more likely to take security policy seriously. Otherwise, as one participant stated, "A policy may become a 'paper tiger' with no 'teeth' if there is no enforcement."
Information Security Effectiveness
The term effective means producing or capable of producing a desired outcome. In security, an effective program will minimize security risks, vulnerabilities, and the likelihood of costly security incidents. Effectiveness can also be viewed in terms of success. A successful security program, for example, should minimize or eliminate costly security breaches. Security effectiveness can be viewed from the individual as well as the team perspective. One participant stressed the importance of the individual by saying, "Ultimately, the success of security lies in the individual. Technology can facilitate security. Only individuals can ensure security." Another participant stressed the necessity of teamwork, "Everyone (in the organization) must cooperate; only one (employee) not trying is enough to reduce the program to non-functionality." Therefore, an effective information security program will have employees at all organizational levels practicing solid security principles while cooperating with corporate goals and policy. It is worth discussing that information security professionals can measure effectiveness by using employee perceptions in addition to more quantifiable, objective measures. Problems can arise when attempting to measure security effectiveness exclusively using objective means. It can be difficult to know if hard data (e.g., number of incidents, financial losses) are accurate and complete considering that security incidents are sometimes underreported or completely undetected. Organizations that do report security incidents may be embarrassed and suffer a loss of reputation if the media discover and then report an incident. To avoid any public embarrassment, some organizational workers may be motivated to minimize the reporting of security breaches. Therefore, although collecting hard numbers may be helpful, they have limitations that may paint a misleading picture of the overall security effectiveness of an organization in that one can never know if the numbers are complete and accurate. An alternative way of evaluating security effectiveness is to measure employee perceptions of organizational security practices. For example, if employees notice that security is taken seriously and practiced at all organizational levels, measuring this perception can be a reliable indicator that the program is working and effective. Likewise, if employees perceive that they are properly trained and knowledgeable about cyber threats as well as the corporate policies that address these threats, this perception can also be an indicator that the security program is working and effective. In this manner, practitioners can use the proposed model from this study as a guide to help organizations evaluate the overall effectiveness of their information security program. In Exhibit 5.2, the illustrated model stresses a positive relationship between levels of top management support, user training, security culture, policy relevance, policy enforcement, and information security effectiveness. In general, higher levels of these constructs such as top management support and user training lead toward higher levels of effectiveness. Taken as a whole, measuring security effectiveness should be a multifaceted task involving the collection of both hard, objective data as well as soft, subjective perceptions.
What Is Security Management?
The definition of security management may take different forms, depending on the role of the organization or individual being asked. The definition of security management from Wikipedia states Security management: In network management, the set of functions (a) that protects telecommunications networks and systems from unauthorized access by persons, acts, or influences and (b) that includes many sub functions, such as creating, deleting, and controlling security services and mechanisms; distributing security-relevant information; reporting security-relevant events; controlling the distribution of cryptographic keying material; and authorizing subscriber access, rights, and privileges.
Security management, as defined by the Information Technology Infrastructure Library (ITIL), follows:
The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management also known as ISO/IEC 17799 now ISO/IEC 27001. A basic concept of security management is the information security. The primary goal of information security is to guarantee safety of the information. Safety is to be protected against risks and security. Security is the means to be safe against risks. When protecting information, it is the value of the information that has to be protected. These values are stipulated by the confidentiality, integrity, and availability. Inferred aspects are privacy, anonymity and verifiability. Note the inclusion of ISO/IEC 17799 in the definition of security management. The proper use of the standards is critical to an organization. Standards help to define and detail requirements for security management within an organization. As determined by the International Standards Organization in the standard BS ISO/IEC 27001:2005, management of security, in the form of implementation and certification of an information security management system, provides considerations for people, process, data, technology, and facilities. This standard prescribes a cohesive and mutually dependent framework that enables proper implementation of security management principles within an organization. As stated on the Standards Direct website, "ISO 27001 is a 'specification' for an ISMS (Information Security Management System), officially titled Information TechnologySecurity TechniquesInformation Security Management SystemsRequirements." ISO 27001 replaces BS 7799-2:2002 that described the specification for ISMS prior. This standard is harmonized with the ISO 17799 that is regarded as a code of practice for information security and the BS 7799, of which the latest version, BS7799-3: 2005, is titled Information Security Management SystemsGuidelines for Information Security Risk Management. These standards will be discussed in more detail later in this chapter.
Why Is Security Management Important?
As can be seen by the above discussion, security management is essential to an organization that must protect its critical assets, including data, infrastructure, and people; in other words, security management is critical to every organization. Without a plan for security management, assets may be protected in an ad hoc, sporadic fashion or not all.
Who Performs Security Management?
In general, security is the entire organization's responsibility. On a more granular level, however, security management can be viewed as a primary responsibility for teams involved in risk management activities; infrastructure design, development, and maintenance (including network, server, and workstation architecture); application development; compliance; and safety and security. Senior management is also involved and as corporate officers are the owners of security within the business. In many organizations, individuals on these may also play a role on an interdisciplinary team, tasked with monitoring the security state for the organization jointly. A good example of this type of team is a forensics team who is tasked with investigating incidents and eradicating the consequences of such incidents for the organization.
Data security is at the core of what needs to be protected in terms of information security and mission-critical systems. Ultimately it is the data that the organization needs to protect in many cases, and usually data is exactly what perpetrators are after, whether trade secrets, customer information, or a database of Social Security numbers the data is where it's at! To be able to properly classify and restrict data, the first thing to understand is how data is accessed. Data is accessed by a subject, whether that is a person, process, or another application, and what is accessed to retrieve the data is called an object. Think of an object as a cookie jar with valuable information in it, and only select subjects have the permissions necessary to dip their hands into the cookie jar and retrieve the data or information that they are looking for. Both subjects and objects can be a number of things acting in a network, depending on what action they are taking at any given moment, as shown in Figure 1
Data classification is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is inefficient to treat all data the same when designing and implementing a security system because some data items need more security than others. Securing everything at a low security level means sensitive data is easily accessible. Securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data. Data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Data classification is used to provide security mechanisms for storing, processing, and transferring data. It also addresses how data is removed from a system and destroyed.
The following are benefits of using a data classification scheme:
- It demonstrates an organization's commitment to protecting valuable resources and assets.
- It assists in identifying those assets that are most critical or valuable to the organization.
- It lends credence to the selection of protection mechanisms.
- It is often required for regulatory compliance or legal restrictions.
- It helps to define access levels, types of authorized uses, and parameters for declassification, and/or destruction of no longer valuable resources.
The criteria by which data is classified vary based on the organization performing the classification. However, it is possible to get numerous generalities from common or standardized classification systems:
- Usefulness of the data
- Timeliness of the data
- Value or cost of the data
- Maturity or age of the data
- Lifetime of the data (or when it expires)
- Association with personnel
- Data disclosure damage assessment (that is, how the disclosure of the data would affect the organization)
- Data modification damage assessment (that is, how the modification of the data would affect the organization)
- National security implications of the data
- Authorized access to the data (that is, who has access to the data)
- Restriction from the data (that is, who is restricted from the data)
- Maintenance and monitoring of the data (that is, who should maintain and monitor the data)
- Storage of the data