|
Juhani
Anttila
BUSINESS MANAGEMENT AND QUALITY ASPECTS
FOR INFORMATION SECURITY MANAGEMENT Abstract Information Security Management (ISM) is particularly needed for a company's own business purposes and targets. In this approach the company should, of course, take into account also the needs and expectations of its all stakeholders. Analogically with the well known Quality Assurance (QA) practices one may use the concept Information Security Assurance (ISA) aimed to create confidence within the external parties. The ISA is strongly related to company's communication with the parties and should be based on the company's internal ISM-facts. A great variety of quality management and quality assurance methodology and tools, e.g. ISO 9000 standards, has achieved a very broad and recognized international acceptance, and they can also be made good use of in managing business-integrated information security. In fact, information security can be seen as an important sub-item of the concept of quality. Very useful quality related practices include e.g. performance evaluation and continual improvement methodologies that can be used in the field of information security, too. Information and information security are key management aspects in modern organizations The significance of information security has been emphasized in all kinds of modern organizations and especially when using extensively information technology. Competitiveness and success of the companies is based on right business related knowledge on time. Correspondingly wrong, incorrect or even manipulated information, as well as missing information or knowledge may cause serious business risks. Continuous and efficient exchange of information is a necessity between all stakeholders including customers, employees, shareholders, suppliers, business partners, and the great public. Both number and variety of stakeholders has increased, and communication between them has increased, intensified, diversified, and speeded up tremendously due to global telecom networks and services. Also company-dedicated internal networks are tightly linked with the public networks. Large part of the information considered is confidential at least to some stakeholders. Basic requirements for information security relate to integrity, availability, and confidentiality, as well as authenticity and authority aspects especially when using the means of electrical communication. According to the recognized international references, information
security implies plenty of different kinds of large-scale management
related issues (see e.g. reference 4), including: In fact, all these issues are very strongly related to the decisions and actions of top management (a strategic viewpoint), and practices of business process management (an operational viewpoint). The necessity of integration and the harmfulness of a distinct information security realization - Lessons learnt from quality management Information security in a company is the end result of numerous details and activities. These issues are described broadly and in details in information security literature (see e.g. references 4, 5 and 6). The management of all these impacting factors, so that the results of information security forward the aims of the company, is called Information Security Management (ISM). Integration implies that no distinct management system is created for information security, but the management procedures relevant to it are realized as essential parts of the overall business leadership and management system. Thus, ISM is integrally embedded with Business Management (BM) actions (see figure 1).
A lot of individual impacting factors should be considered and related methodology applied in order to realize a professional approach for information security. However, all these issues as a whole should be understood as a comprehensive ISM entirety that covers the whole area of business management (see figure 2). If this does not take place, the ISM implementation will contain loopholes and the overall situation is typically contingent on its weakest links. Another danger is partial optimization, in which certain factors may be overly emphasized without them being able to bring about the desired results effects to the wholeness. Loopholes and partial optimization always entail additional unnecessary costs, too. Information security management is fully analogous with the quality management (QM) that has attained a very well established and internationally standardized position already during several decades e.g. through the widely known and used ISO 9000 standards (see reference 3 and 8). These standardized quality management principles and practices have impact on all business areas of organizations, including information management and information security areas. The experiences gained through quality management also provide ample opportunities to learn from and utilize in the area of information security. A crucial principle of QM is that organization's top management should take the major responsibility, and the organization should create the basic solution for QM by its own initiative because QM is one of its key competitiveness factors. This is also necessary in the case of ISM. Good results cannot be made or controlled by any outsiders. Even the requirements for ISM must be inborn issues of business strategies. Of course - and as is also in QM - the organization should take seriously into consideration in its strategies the needs and expectations of all important stakeholders. Another important principle of QM is that the organization should provide assurance to its customers and other stakeholders that it has all necessary abilities to realize all the relevant requirements. All these measures to inspire and strengthen customers' and other stakeholders' confidence in the organization are called Quality Assurance (QA). Analogically also similar Information Security Assurance (ISA) is needed for stakeholders' confidence. ISA is naturally a sub-domain of ISM (see figure 2).
Figure 2. Elements of Information Security Management (ISM) and Information Security Assurance (ISA) integrated with business management (BM). ISM covers the whole BM. ISA is a part of ISM. The reason why the integration of information security management has not always taken place effectively could be the fact that a company's own leadership system has not yet taken shape to a sufficient degree, resulting in the lack of points to "grasp onto". It might also be the case that information security issues are delegated too much to experts only, who will then create their own special systems, even by emphasizing their own position. Moreover, many concepts and basic principles of information security are too foreign and difficult to understand to busy business managers. Collaboration of business leaders and information security experts is a challenging issue for an effective and efficient ISM integration because they have very different views, experiences, and responsibilities. Business leaders know the right business things and experts know the best means to do information security things right. Business leaders are generalists and strongly acting individuals with authoritative organizational positions. Experts are specialized and deeply knowing individuals with low position-based authority. However, a productive dialogue and cooperation is needed between these two characters. Organizations should strive for an excellent performance in information security integration (see figure 3). Only aiming at mediocrity or fulfilling minimum requirements can never be a sustainable and competitive solution. They imply losing business sooner or later. Excellence of information security performance should take place in organization's business activities and related results. In order to achieve that, the organization should realize three corner-stones for its operations (see figure 3).
Realizing the integration of information security management It is impossible to define clearly and unequivocally where the border-line of ISM to the business management (BM) goes (see figure 2). As a matter of fact, ISM stretches across the entire area of BM, due to the fact that all decisions and measures (whether they are in fact undertaken or not) made by the business managers have direct or indirect, positive or negative impact also on the realization of ISM. In practice, the integration of information security issues with
business approaches takes place at two management levels: In integrating information security practices, it is extremely important to understand information security issues in the context of business processes. This is because, in practice (operationally), information security originates from processes, that means from process-related activities and information flows between these activities (see figure 4). Thus, information security is affected directly in real time through process arrangements, tools, and people in practical work that are affected by an appropriate and systematic process management practice.
Real responsibility, even relating to the information security, lies always with business leaders, at the strategic level with the general manager and business area managers, and at the operational level with process owners. This responsibility cannot be delegated to security experts or externalized to outside inspectors or consultants. The task of experts such as information security directors or managers is to provide expert support, e.g. the facilitation of particular approaches and improvement topics through the utilization of suitable professional tools. Information and knowledge content businesses create new challenges for information security management All the products of any organization, consisting of goods and services, are developed, produced and delivered through interlinked business processes. Both products and processes are today very strongly information and knowledge content. Knowledge may be explicit or implicit (tacit). The biggest and most important part is tacit knowledge involved with human beings operating with the business processes. E-business is today's reality and increasing opportunity to organizations in all sectors. E-business is not only a technological issue. Today Internet covers already the whole life. Internet provides a worldwide communication-infrastructure that is expanding very fast. The net includes all people, organizations, cultures, and communities, and it has changed all interaction conditions and behaviors. E-business facilities do not apply only to explicit data or information of organizations but it dares to increasing communication between people using their tacit knowledge. Also information security professionalism should adapt itself to these new business realities, but e-business also creates quite new opportunities both for business management and operations, and for information security. Traditionally the systematic managerial actions were related to business system and its organizational structure, business environments, stakeholders, business performance and targets, management and leadership, technology, products (goods and services), business processes, work and "employeeship", customs and customers, and company culture. Now there are fundamental changes in all these issues when organizations are operating in e-business environments. Only two examples that, however, are very central issues for information security are considered here, the concepts of organization and management. These both concepts have very changed states of reference in e-business compared with the traditional business environments. Corporations have changed into virtual and emergent business communities or networks of different actors whose borders are rather vague. There is no single, clearly defined, or stable organizational system to be managed. Nobody is any more managing this kind of complex organizational entity but the individual actors have different roles and performance options depending on access, reach, and control characteristics of the actors. This all means that remarkable innovations are necessary also in information security thinking and practices. All information security related concepts are still relevant but their substance and realizations could be understood in very new ways. Assuring information security in order to build confidence within external parties The aim of ISM is to internally forward the business needs of a company. In addition to such internal motives, there are also needs for measures directed at parties external to the company, such as customers or regulatory authorities, the purpose of which is to create and strengthen confidence towards the company's information security abilities and solutions. All these measures can be referred to as Information Security Assurance (ISA) analogously to the well known standardized Quality Assurance (QA) principles and practices (see reference 1). The foundation of ISA consists of real procedures in business processes, and it is realized through the way in which these are communicated to external parties (see figure 5).
Evaluation and continual improvement of information security management It is important to be aware of, i.e. evaluate, the real situation of a company with respect to ISM. As a matter of fact, information security is a fuzzy concept (see figure 6). Information security always has to do with levels of development and differences in degree. This also entails an essential feature of information security, which means that it is always possible to continually improve the ISM. There is plenty of methods available to evaluate the performance of ISM. Checking (or auditing) ISM against fixed requirements is appropriate at operational level. In strategic ISM assessments, however, one should also take into account the improvement process and development of ISM, and consider the achievements against relevant reference organizations and their best practices. In information security assessments one can look at the entire company,
which means that it is a strategic assessment, or one can examine
particular business processes and their parts, in which case the evaluation
is more operational in nature. In both cases it is necessary to examine
both real operations and the concrete results reached through them.
Through an assessment one can, and also should, bring into view the
company's demonstrated With the help of an appropriate assessment methodology (see reference 8) one can also gain a quantitative assessment result (numerical scoring) to indicate the company's developmental status and maturity concerning ISM. It is also appropriate that the assessment creates recommendations and initiatives pertaining to the continual improvement of the situation. The assessments, and improvement measures based on these, include information on appropriate comparative references (own goals, competitors, and the best in other industries) and learning from existing best practices of other organizations, i.e. benchmarking. When assessing a company's information security performance, strength
in the management actions and processes implies: Fulfilling these strength-criteria completely denotes performance excellence in ISM. However, many companies are still on anecdotal or beginning levels (see figure 6) even if they have strived for fulfilling formal requirements. Assessments can be made by the first-party (the company itself), by second parties (customers), or a third party (organization independent from the first two parties). It is crucially important that the company itself assesses the performance of information security management and commences improvement measures based on the assessments. One can also present a first, second, or third party certificate on the basis of an assessment (or an audit), indicating how certain assessment criteria are met. Third party certificates have often had an overly emphasized significance. There is ample evidence especially from the field of QM, that one cannot in reality assure quality (or information security) on the basis of such certificates. Focusing on certificates has also easily had a decelerating or damaging effect on striving towards continual improvement in realizing performance excellence. Excellence of information security as the goal When operating in a competitive business situation, the only possible goal of a company is performance excellence (see figure 2), because only on this basis can long-term competitiveness be realized. The goal of superiority should also be focused on information security management ISM. In this case it is not enough to merely comply with certain external standardized requirements. Comprehensive information security management with performance excellence
as its goal calls for the systematic development of approaches as
well as their effective and efficient implementation into practice
and continuous assessment, and improvement measures at various levels
of the organization. This leads to the learning of the whole organization.
Through organizational learning the company may naturally also initiate
appropriate changes in the three corner issues of company's business
activities (see figure 2). Organizational learning a big challenge
in every organization but it requires a comprehensive approach of
ISM (see figure 7) including:
Summary and conclusions An effective and efficient business-integrated information security management is based on the following foundations: - In competitive business environments a company should aim at performance
excellence, even in information security and in its management, not
only fulfilling the fixed performance requirements. References 1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol. 2, edited by J H P Eloff and R von Solms, (Vienna, Budapest:
IFIP WG11.2 September 1998) [This text was presented as a paper at IPICS Winter School at the University of Oulu, Finland in March 2004]
|
|
|
|
|
|
