|
Juhani
Anttila
GENERAL MANAGERIAL TOOLS FOR BUSINESS-INTEGRATED
INFORMATION SECURITY MANAGEMENT Abstract This paper deals with two methodological frameworks, the PDCA Model and the Process Management Model, which are very basic elements in the newest international standardization of information security management. The models were originally developed to support quality of overall business management in any kind of organizations, and to the information security standards the models came from ISO 9000 standards for quality management. Multifarious possibilities of those models are highlighted in this paper for the needs of information security management that is seamlessly integrated (embedded) within general business management activities. Additionally, some significant aspects of modern business environments are considered in the context of these models and information security management. Business-integrated information management Information security is one of organizations' managerially interested issues because it is significant and in many cases even crucial issue from the business realization point of view. In this sense management of information security is fully analogous to many other highly specialized key areas for managing organizations to competitive business performance and success. These areas include management of finance, human resource, quality of products, innovation, etc. In all these areas it is useful for organizations to use established and recognized management approaches and practices. Information security management can be defined as coordinated activities
to direct and control an organization with regard to information security.
Basic phenomena to be managed characterizing information security
in organizations' products and business activities consist of: Because of its importance for organizations' sustainable business performance and success and business credibility, information security management is factually always squarely under the responsibility of business leaders, and all information security related activities should be integrated seamlessly with normal business management activities. Similar general managerial principles and methodology may be used in all specialized management areas and information security management is not any exception. Applying the PDCA Model for managing information security A well-known general model for all areas of management including information security is so called PDCA model or Deming / Shewhart cycle (see figure 1). This model became popular especially through American Dr. W. Edwards Deming's lectures of managerial quality during several decades (from 1950's to 1990's). However, originally the model was created by American Dr. Walter Shewhart in the 1920's. Later Japanese Dr. Shoji Shiba has made remarkable work by combining the original PDCA model with the ideas of managing knowledge and of Buddhist philosophy. Also American Dr. Joseph Juran's so called Trilogy Model contains the same elements as the PDCA model. The PDCA model has also consistent linkages with traditional systems theory and systems dynamics. As a summary one may notice that PDCA model has a great variety of different applications, possibilities, and uses. PDCA model is also strongly related to the following international
standards of information security management: These standards are most recognized reference documents for professional
approach of information security management world-widely. These standards
also emphasize the integration of information security management.
Additionally OECD's guidance document: PDCA model describes how a consistent management consists of four
consecutive activities: In organizational environments the PDCA model is to be applied in
three different scopes: Top business leaders (senior executives) are responsible of the breakthrough improvements. Control, prevention, and small step improvement should be carried out by the responsibility of operational managers. All people within organizations should be aware of the importance of information security so that they are able to take into account it in their normal every day business tasks in a simple and natural way without any additional measures. For ensuring information security, an organization should carry out a lot of different information security specific measures in planning, doing, and checking business activities / results, and reacting to the situation. Also for information security, the organization should carry out correcting, preventing, and continual improving actions, and more comprehensive reengineering of business processes as necessary. From above mentioned international standards one may find a lot of information on detailed methodology for those tasks of information security. Although the standard ISO/IEC 27001 explicitly refers to the PDCA model, however, the model is applied in the standard rather unsystematically, inexplicitly, and poorly for the purposes of information security management. There are no excuses why control, prevention, small step improvements, and breakthrough improvements were not relevant also in the field of information security management. Even normal organizational quality management practices oblige to use such methods also for information security. General managerial practices and means can be used but also professional information security expertise should be incorporated. This means a close and effective cooperation of business leaders and information security experts. Information security management through business process management Process approach was used already in ancient plant and construction activities. The concept is often referred to in cases of natural development. Through industrialization processes became an everyday concept in so called process industry. From 1980's process approach has been used for computers' internal activities according to structured analysis and design technique (SADT). However, in a large scale business process approach has been used comprehensively for the benefits of business management only for less than twenty years, and during that time a lot of practical means have been developed for that purpose. In these approaches, especially learning from system theory and system dynamics was used. To the quality management standards ISO 9000, process concept was introduced in the 1990's, and later just in very recent years the methodology came to the international standards of information security management. Processes adhere always to all kinds of daily doings or activities within any organization. In fact, originally the process concept just denotes any kind of activity or operation. Structural questions of business processes have become an interesting management issue in order to increase effectiveness and efficiency of the business operations. In some cases, however, there has been a danger that structural aspects, e.g. formal process diagrams, were being harmfully over-emphasized in process management. Due to its business significance, process management is a comprehensive business management issue by its basic nature. Today, however, truly effective and efficient process management implies a radical change to the established management thinking and structures in many organizations. All business results - including information security - are achieved through managing business processes and projects. Basic (or core or key - different terms are used in different organizations) business processes imply continuously running interlinked business activities, and projects are singular processes for unique business tasks. Both strategic and operational management levels are involved in this process approach, the strategic one focusing on managing the network of inter-linked business processes (i.e. the whole business system) and the operational one on managing single processes and projects. In integrating information security practices, it is extremely important
to understand information security issues in the context of business
processes. This is because, in practice (operationally), information
security originates from processes. That is based on the fact that
all process-activities are nowadays very strongly information-intensive,
and information flows between these activities and between different
performers and even between distant operational locations (see example
of figure 2). Thus, information security is affected directly in real
time through process arrangements, tools, and people in practical
work and how these are managed by appropriate and systematic practices. Process management (see figure 3) implies how strategic and operational
business objectives are realized through business processes according
to PDCA (Plan - Do - Check - Act) principle. The operations are managed
by feedback through measurements. There are in fact three PDCA loops
for a comprehensive process management: Both the whole process network (the business system) and individual business processes are being managed according to this systematic model. Management of the comprehensive process network includes normal responsibilities of the business management, e.g. using business plans, action plans, business performance assessments, and regular business reviews. It is essential, that the business system is understood here especially as a network of business processes and not only as functional units (organizational "silos"). The scope of managing individual processes consists of process planning, control of the operation, performance improvement, and quality assurance. Bases for a process management are the process plan, process performance assessment, and monitoring process performance indicators. Process plan is the most important managerial tool for process management. In order to take information security issues into account, one should understand which phenomena within single business processes and between different processes are critical from the information security point of view. After that one may be able to define suitable performance indicators and set quantitative target values for information security according to the relevant needs and expectations. A key management issue is to monitor these indicators in a real time and to initiate - as needed - necessary measures for correction, prevention, or improvement of performance just according to the PDCA model. From the above mentioned standards one may find general guidance for defining information security control means to be applied within business processes. Also information security performance should be considered both from strategic and operational point of view. Strategic performance management of processes consists of an organization's vision- and strategy-based measures and evaluations of the overall process performance. Needs of operational process performance measures for daily management are focused on diagnostics and analysis for corrective and preventive actions. Process performance in general and also information security performance of processes is a fuzzy concept. Process performance evaluation consists of strategic assessment of the whole business performance (process network), and operational assessment of individual processes. Assessment results are useful both for company-internal process improvement and for quality assurance. Quality assurance includes all those measures through which an organization demonstrates to its stakeholders that the organization is capable to fulfill effectively all agreed requirements. Factors affecting on the use of systematic managerial tools in business-integrated information security management Information security management - or more generally business management
as a whole - by using PDCA model and process management calls for
responding to the realities of business environments. Especially nowadays
the needs for managing variety and agility of the operations set new
requirements for all management practices. Fundamental reason is that
today's business environment is uncertain and ambiguous. That includes: All these aspects are big challenges also in information security
management. Information security may be controlled adequately by strict rules and instructions or by automatic technological solutions only in the mechanistic parts of process activities. People skills, competences, awareness, initiatives, commitments and responsibilities, and general security culture are most essential in the organic and dynamic business situations. Achievements in information security management depend on the quality
of management. That is how the business management is really carried
out and how the systematic tools are used over the whole organization.
There are management actions on several levels in an organization
relating to the whole organization, its business units or functions,
business processes, and individuals and teams. Leadership emphasizes
managers' or superiors' personal and human aspects in conducting their
business actions (see figure 4). Conclusions In order to be effective information security management should be carried out in integration with the normal business management practices of an organization. Distinct solutions for information security are abnormal, ineffective, and finally frustrating. Integration is realized through practical managerial tools. PDCA model is a proved and recognized methodology for all kind of management. It is very suitable also in information security management but its use has been rather vague and all advantages of this methodology have not taken in practice. Proved business cases demonstrate that process management is in principle a very simple thing, but its implementation in practice seems incredibly difficult because it always puts a strain on the organization's leadership issues. Development of the business processes and their management is a long-term effort and should take into account realities of business environments in question. This is also the reason for the difficulty of its applications in information security management. Another point is that security professionals are not familiar of the foundations and practical approaches of process management. References [This text was presented as a paper at IPICS Winter School of the University of Oulu, Taivalkoski Finland in April 2006 and also published with Jorma Kajava and Rauno Varonen in the University of Lapland, Department of Research Methodology Reports, Essays and Working Papers No. 2 / 2007] |
|
|
|
|
|
