Venture Knowledgist Quality Integration
BUSINESS MANAGEMENT AND QUALITY ASPECTS
FOR INFORMATION SECURITY MANAGEMENT
practices in organizations have often been implemented as distinct
initiatives apart from business management and primarily by information
security professionals. This is not any natural approach and has been
regarded even annoying. Information security in any organization is
achieved effectively and efficiently only if it is realized as an
organic element of organization's business strategies and operations.
This paper puts forward an approach of integrating all necessary information
security actions in line with the business objectives, embedded seamlessly
in business processes, and taking into account the realities and requirements
of the modern business environments.
Information Security Management (ISM) is particularly needed for
a company's own business purposes and targets. In this approach the
company should, of course, take into account also the needs and expectations
of its all stakeholders. Analogically with the well known Quality
Assurance (QA) practices one may use the concept Information Security
Assurance (ISA) aimed to create confidence within the external parties.
The ISA is strongly related to company's communication with the parties
and should be based on the company's internal ISM-facts.
A great variety of quality management and quality assurance methodology
and tools, e.g. ISO 9000 standards, has achieved a very broad and
recognized international acceptance, and they can also be made good
use of in managing business-integrated information security. In fact,
information security can be seen as an important sub-item of the concept
of quality. Very useful quality related practices include e.g. performance
evaluation and continual improvement methodologies that can be used
in the field of information security, too.
Information and information security
are key management aspects in modern organizations
The significance of information security has been emphasized in all
kinds of modern organizations and especially when using extensively
information technology. Competitiveness and success of the companies
is based on right business related knowledge on time. Correspondingly
wrong, incorrect or even manipulated information, as well as missing
information or knowledge may cause serious business risks. Continuous
and efficient exchange of information is a necessity between all stakeholders
including customers, employees, shareholders, suppliers, business
partners, and the great public. Both number and variety of stakeholders
has increased, and communication between them has increased, intensified,
diversified, and speeded up tremendously due to global telecom networks
and services. Also company-dedicated internal networks are tightly
linked with the public networks. Large part of the information considered
is confidential at least to some stakeholders.
Basic requirements for information security relate to integrity,
availability, and confidentiality, as well as authenticity and authority
aspects especially when using the means of electrical communication.
According to the recognized international references, information
security implies plenty of different kinds of large-scale management
related issues (see e.g. reference 4), including:
- Security policy
- Security organization
- Asset classification and controls
- Personal security
- Physical and environmental security
- Computer and network management
- System access control
- System development and maintenance
- Business continuity planning
- Compliance management
In fact, all these issues are very strongly related to the decisions
and actions of top management (a strategic viewpoint), and practices
of business process management (an operational viewpoint).
The necessity of integration and the
harmfulness of a distinct information security realization - Lessons
learnt from quality management
Information security in a company is the end result of numerous details
and activities. These issues are described broadly and in details
in information security literature (see e.g. references 4, 5 and 6).
The management of all these impacting factors, so that the results
of information security forward the aims of the company, is called
Information Security Management (ISM).
Integration implies that no distinct management system is created
for information security, but the management procedures relevant to
it are realized as essential parts of the overall business leadership
and management system. Thus, ISM is integrally embedded with Business
Management (BM) actions (see figure 1).
Figure 1. Typical leadership and management activities of any organization
include both strategic (long term) and operational (short term) items.
Integrated ISM means that all security related tasks are embedded
within these business management (BM) issues. There is no room for
any distinct ISM system.
A lot of individual impacting factors should be considered and related
methodology applied in order to realize a professional approach for
information security. However, all these issues as a whole should
be understood as a comprehensive ISM entirety that covers the whole
area of business management (see figure 2). If this does not take
place, the ISM implementation will contain loopholes and the overall
situation is typically contingent on its weakest links. Another danger
is partial optimization, in which certain factors may be overly emphasized
without them being able to bring about the desired results effects
to the wholeness. Loopholes and partial optimization always entail
additional unnecessary costs, too.
Information security management is fully analogous with the quality
management (QM) that has attained a very well established and internationally
standardized position already during several decades e.g. through
the widely known and used ISO 9000 standards (see reference 3 and
8). These standardized quality management principles and practices
have impact on all business areas of organizations, including information
management and information security areas. The experiences gained
through quality management also provide ample opportunities to learn
from and utilize in the area of information security.
A crucial principle of QM is that organization's top management should
take the major responsibility, and the organization should create
the basic solution for QM by its own initiative because QM is one
of its key competitiveness factors. This is also necessary in the
case of ISM. Good results cannot be made or controlled by any outsiders.
Even the requirements for ISM must be inborn issues of business strategies.
Of course - and as is also in QM - the organization should take seriously
into consideration in its strategies the needs and expectations of
all important stakeholders.
Another important principle of QM is that the organization should
provide assurance to its customers and other stakeholders that it
has all necessary abilities to realize all the relevant requirements.
All these measures to inspire and strengthen customers' and other
stakeholders' confidence in the organization are called Quality Assurance
(QA). Analogically also similar Information Security Assurance (ISA)
is needed for stakeholders' confidence. ISA is naturally a sub-domain
of ISM (see figure 2).
Figure 2. Elements of Information Security Management (ISM) and Information
Security Assurance (ISA) integrated with business management (BM).
ISM covers the whole BM. ISA is a part of ISM.
The reason why the integration of information security management
has not always taken place effectively could be the fact that a company's
own leadership system has not yet taken shape to a sufficient degree,
resulting in the lack of points to "grasp onto". It might
also be the case that information security issues are delegated too
much to experts only, who will then create their own special systems,
even by emphasizing their own position. Moreover, many concepts and
basic principles of information security are too foreign and difficult
to understand to busy business managers.
Collaboration of business leaders and information security experts
is a challenging issue for an effective and efficient ISM integration
because they have very different views, experiences, and responsibilities.
Business leaders know the right business things and experts know the
best means to do information security things right. Business leaders
are generalists and strongly acting individuals with authoritative
organizational positions. Experts are specialized and deeply knowing
individuals with low position-based authority. However, a productive
dialogue and cooperation is needed between these two characters.
Organizations should strive for an excellent performance in information
security integration (see figure 3). Only aiming at mediocrity or
fulfilling minimum requirements can never be a sustainable and competitive
solution. They imply losing business sooner or later. Excellence of
information security performance should take place in organization's
business activities and related results. In order to achieve that,
the organization should realize three corner-stones for its operations
(see figure 3).
Figure 3. Three corner-stones for a systematic and excellent information
security management: (1) understanding the issue, (2) using appropriate
tools, and (3) having a suitable organizational infrastructure.
Realizing the integration of information
It is impossible to define clearly and unequivocally where the border-line
of ISM to the business management (BM) goes (see figure 2). As a matter
of fact, ISM stretches across the entire area of BM, due to the fact
that all decisions and measures (whether they are in fact undertaken
or not) made by the business managers have direct or indirect, positive
or negative impact also on the realization of ISM.
In practice, the integration of information security issues with
business approaches takes place at two management levels:
- The strategic level, where one makes decisions and undertakes measures
concerning the entire business system and considers especially the
future competitiveness of the company. (Business management)
- The operational level, where decisions and measures concern daily
and case-wise situations. (Operational management)
In integrating information security practices, it is extremely important
to understand information security issues in the context of business
processes. This is because, in practice (operationally), information
security originates from processes, that means from process-related
activities and information flows between these activities (see figure
4). Thus, information security is affected directly in real time through
process arrangements, tools, and people in practical work that are
affected by an appropriate and systematic process management practice.
Figure 4. Information security is realized in the activities and information
flows of business processes (e.g. order/delivery process).
Real responsibility, even relating to the information security, lies
always with business leaders, at the strategic level with the general
manager and business area managers, and at the operational level with
process owners. This responsibility cannot be delegated to security
experts or externalized to outside inspectors or consultants. The
task of experts such as information security directors or managers
is to provide expert support, e.g. the facilitation of particular
approaches and improvement topics through the utilization of suitable
Information and knowledge content businesses
create new challenges for information security management
All the products of any organization, consisting of goods and services,
are developed, produced and delivered through interlinked business
processes. Both products and processes are today very strongly information
and knowledge content. Knowledge may be explicit or implicit (tacit).
The biggest and most important part is tacit knowledge involved with
human beings operating with the business processes.
E-business is today's reality and increasing opportunity to organizations
in all sectors. E-business is not only a technological issue. Today
Internet covers already the whole life. Internet provides a worldwide
communication-infrastructure that is expanding very fast. The net
includes all people, organizations, cultures, and communities, and
it has changed all interaction conditions and behaviors. E-business
facilities do not apply only to explicit data or information of organizations
but it dares to increasing communication between people using their
tacit knowledge. Also information security professionalism should
adapt itself to these new business realities, but e-business also
creates quite new opportunities both for business management and operations,
and for information security.
Traditionally the systematic managerial actions were related to business
system and its organizational structure, business environments, stakeholders,
business performance and targets, management and leadership, technology,
products (goods and services), business processes, work and "employeeship",
customs and customers, and company culture. Now there are fundamental
changes in all these issues when organizations are operating in e-business
Only two examples that, however, are very central issues for information
security are considered here, the concepts of organization and management.
These both concepts have very changed states of reference in e-business
compared with the traditional business environments. Corporations
have changed into virtual and emergent business communities or networks
of different actors whose borders are rather vague. There is no single,
clearly defined, or stable organizational system to be managed. Nobody
is any more managing this kind of complex organizational entity but
the individual actors have different roles and performance options
depending on access, reach, and control characteristics of the actors.
This all means that remarkable innovations are necessary also in information
security thinking and practices. All information security related
concepts are still relevant but their substance and realizations could
be understood in very new ways.
Assuring information security in order
to build confidence within external parties
The aim of ISM is to internally forward the business needs of a company.
In addition to such internal motives, there are also needs for measures
directed at parties external to the company, such as customers or
regulatory authorities, the purpose of which is to create and strengthen
confidence towards the company's information security abilities and
solutions. All these measures can be referred to as Information Security
Assurance (ISA) analogously to the well known standardized Quality
Assurance (QA) principles and practices (see reference 1).
The foundation of ISA consists of real procedures in business processes,
and it is realized through the way in which these are communicated
to external parties (see figure 5).
Figure 5: Information security assurance (ISA) is based on activities
of business management. The key issue of assurance is communication.
Evaluation and continual improvement
of information security management
It is important to be aware of, i.e. evaluate, the real situation
of a company with respect to ISM. As a matter of fact, information
security is a fuzzy concept (see figure 6). Information security always
has to do with levels of development and differences in degree. This
also entails an essential feature of information security, which means
that it is always possible to continually improve the ISM.
There is plenty of methods available to evaluate the performance
of ISM. Checking (or auditing) ISM against fixed requirements is appropriate
at operational level. In strategic ISM assessments, however, one should
also take into account the improvement process and development of
ISM, and consider the achievements against relevant reference organizations
and their best practices.
In information security assessments one can look at the entire company,
which means that it is a strategic assessment, or one can examine
particular business processes and their parts, in which case the evaluation
is more operational in nature. In both cases it is necessary to examine
both real operations and the concrete results reached through them.
Through an assessment one can, and also should, bring into view the
- Strengths, i.e. how do the company differ from others, especially
competitors, on the basis of factual information, and
- Weaknesses, i.e. how do the facts indicate something which prevents
or hampers the company from using its strengths in a competitive manner.
Figure 6: Information security is a matter of degree (a "fuzzy"
concept) and can be always improved.
With the help of an appropriate assessment methodology (see reference
8) one can also gain a quantitative assessment result (numerical scoring)
to indicate the company's developmental status and maturity concerning
ISM. It is also appropriate that the assessment creates recommendations
and initiatives pertaining to the continual improvement of the situation.
The assessments, and improvement measures based on these, include
information on appropriate comparative references (own goals, competitors,
and the best in other industries) and learning from existing best
practices of other organizations, i.e. benchmarking.
When assessing a company's information security performance, strength
in the management actions and processes implies:
- An effective systematic approach, fully responsive to the multiple
requirements of the information security, is evident
- The approach is fully deployed without significant weaknesses or
gaps in any areas of the organization's activities
- Fact-based, systematic evaluation and improvement and organizational
learning are key organization-wide practices
- Refinement and innovation of the information security, backed by
analysis and knowledge sharing, are evident throughout the organization
- The approach is well integrated with the organizational needs identified
in response to the other business requirements
Correspondingly, strength in the results obtained by the management
actions and processes implies:
- Current performance of is excellent in most organizational areas
of importance to the information security requirements.
- Excellent improvement trends or sustained excellent performance
levels of information security are reported in most organizational
- Evidence of industry and benchmark leadership is demonstrated in
many oragnizational areas.
- Information security perfromance results fully address key customer,
market, process, and action plan requirements.
Fulfilling these strength-criteria completely denotes performance
excellence in ISM. However, many companies are still on anecdotal
or beginning levels (see figure 6) even if they have strived for fulfilling
Assessments can be made by the first-party (the company itself),
by second parties (customers), or a third party (organization independent
from the first two parties). It is crucially important that the company
itself assesses the performance of information security management
and commences improvement measures based on the assessments. One can
also present a first, second, or third party certificate on the basis
of an assessment (or an audit), indicating how certain assessment
criteria are met. Third party certificates have often had an overly
emphasized significance. There is ample evidence especially from the
field of QM, that one cannot in reality assure quality (or information
security) on the basis of such certificates. Focusing on certificates
has also easily had a decelerating or damaging effect on striving
towards continual improvement in realizing performance excellence.
Excellence of information security
as the goal
When operating in a competitive business situation, the only possible
goal of a company is performance excellence (see figure 2), because
only on this basis can long-term competitiveness be realized. The
goal of superiority should also be focused on information security
management ISM. In this case it is not enough to merely comply with
certain external standardized requirements.
Comprehensive information security management with performance excellence
as its goal calls for the systematic development of approaches as
well as their effective and efficient implementation into practice
and continuous assessment, and improvement measures at various levels
of the organization. This leads to the learning of the whole organization.
Through organizational learning the company may naturally also initiate
appropriate changes in the three corner issues of company's business
activities (see figure 2). Organizational learning a big challenge
in every organization but it requires a comprehensive approach of
ISM (see figure 7) including:
- Sensibility and awareness to new solutions
- Changing beliefs and attitudes
- Training and educating new skills and competences
Figure 7. Domains of action and change for an organizational learning
for continually improving the information security management in any
organization (see also figure 2)
Summary and conclusions
An effective and efficient business-integrated information security
management is based on the following foundations:
- In competitive business environments a company should aim at performance
excellence, even in information security and in its management, not
only fulfilling the fixed performance requirements.
- Information security management belongs to business leaders' responsibility
and cannot be realized by information security experts or external
- Information security management separately from business management
is not justified.
- Modern business environments and realities and especially human
issues should be taken into account when implementing solutions of
information security management.
- Business processes are in the most important position when implementing
effectively and efficiently professional business-integrated information
- Information security management and information security assurance
have different objectives and therefore different but mutually consistent
measures are needed for them.
- Information security is a fuzzy concept and its real situation should
be evaluated from the business point of view for continual improvement.
- Organizational learning is a modern challenging approach for continually
improving company-wide information security.
- Methodological management principles and means for information security
can be learnt from recognized quality management practices.
1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol. 2, edited by J H P Eloff and R von Solms, (Vienna, Budapest:
IFIP WG11.2 September 1998)
2. J Anttila: "Business process management, a core issue of implementation
of information security" In Information security and law. Current
issues of information security, edited by A Saarenpää (Rovaniemi:Laplands
University 2002) (In Finnish)
3. J Anttila: "Business Integrated e-Quality - Innovative opportunity
for modern advanced organizations", EOQ Conference proceedings
(Harrogate UK: EOQ and IQA 2002)
4. A code of practice for information security management, (London:
Department of trade and industry, DISC PD003, British standards institution
5. Information technology security evaluation criteria (ITSEC), (Brussels,
Luxenbourg: ECSC-EEC-EAEC 1991)
6. J. Kajava and M. T. Siponen, "Security management and organizations
- bottom up or top down approach?" In Proceedings of Nordic Workshop
on Secure Computer Systems (NORDSEC '96), edited by E. Jonsson, (Gothenburg:
SIG Security and Chalmers University of Technology, Department of
Computer Engineering November 1996)
7. J Anttila and J Vakkuri: "ISO 9000 for the Creative Leader",
(Helsinki: Sonera Corporation 2001)
8. J Anttila, J Vakkuri: "Good Better Best" (Helsinki: Sonera
9. P. Senge, C. Roberts, B. Ross, A. Kleiner: "The Fifth Discipline
Fieldbook" (London: Nicholas Brealey Publishing Limited, 1995)
10. ISO 9000, Quality management standards, (Geneve: International
Standardization Organization ISO 2000)
[This text was presented as a paper at IPICS Winter School at the
University of Oulu, Finland in March 2004]