Venture Knowledgist Quality Integration
BUSINESS-INTEGRATED INFORMATION SECURITY
Information security in any enterprise is achieved effectively and
efficiently through a systematic Information Security Management (ISM)
that is in line with the company's business objectives. However, often
information security practices have been implemented as distinct of
business and by information security professionals. This is not any
natural approach and has been regarded even annoying. As a solution
to such a problem, the paper at hand puts forward the approach of
integrating all necessary information security actions seamlessly
with the business management and business processes and how to take
into account the realities and requirements of the modern business
The ISM is particularly for a company's own business needs and targets.
In this approach the company should of course take into account also
the needs and expectations of its all stakeholders. It should have
also effective communications with those external parties on the relationship-related
topics including relevant information security issues. Analogically
with the well known Quality Assurance (QA) practices one may use the
concept Information Security Assurance (ISA) aimed to create confidence
within the external parties. The ISA should be based on the company's
Information security management is a fuzzy concept. Then it is important
to apply business-management related methodology to evaluate its performance
(including its strengths and weaknesses) and carry out continually
appropriate improvement actions.
A great variety of quality management and quality assurance methodology
and tools, e.g. ISO 9000 standards, has achieved a very broad and
recognized international acceptance, and they can also be made good
use of in managing business-integrated information security. In fact,
information security can be seen as a sub-item of the concept of quality.
Information and information security,
key aspects in the management of modern enterprises
The significance of information security has been emphasized in all
kinds of organizations in modern business environments and especially
when using extensively information technology. Competitiveness and
success of the companies is based on right business related knowledge
on time. On the contrary, wrong or even manipulated information, missing
information or knowledge may cause serious business risks. Continuous
and efficient change of information is a necessity between all stakeholders
(or interested parties), e.g. customers, employees, shareholders,
suppliers, business partners, and the great public. Both the number
and variety of the stakeholders has increased, and the communication
between them has increased and intensified tremendously due to global
telecom networks and services. Company-dedicated networks are tightly
linked with the public networks. Very large part of the information
considered is confidential at least to some stakeholders.
E-business is today's reality and increasing opportunity for organizations
in all sectors. E-business is not only a technological issue. Today
Internet covers already the whole life. Internet provides a worldwide
communication-infrastructure that is expanding very fast. The Net
includes all the people, organizations, cultures, and communities,
and it has changed all interaction environments and behaviors. E-business
facilities do not apply only to explicit data or information of organizations
but it dares to increasing communication between people using their
implicit knowledge. Also information security professionalism should
adapt itself to these new business realities, but e-business also
creates quite new opportunities for both business management and information
The necessity of integration, the harmfulness
of separate management systems
Information security in a company is the end result of numerous details
and activities. These are broadly considered in information security
literature (see e.g. references 4, 5 and 6). The management of all
these impacting factors, so that the results of information security
forward the aims of the company, is called Information Security Management
(ISM). Information security management is integrally embedded with
Business Management (BM) actions.
In order to be able to utilize all the impacting factors needed for
the realization of information security, a comprehensive approach
is required. If this is not possible, the implementation will contain
loopholes and the overall situation is typically contingent on its
weakest links. Another danger is partial optimization, in which certain
factors may be overly emphasized without them being able to bring
about the desired results effects to the wholeness. All of these,
however, always entail additional unnecessary costs.
Information security management is fully analogous to the management
of many other expertise areas important to a company. These include,
- business risks
- human resource development
- information management and communications
- occupational health and safety factors
- environmental protection
All these various areas have professionally very differently established
practices based on their distinctness and historical development.
E.g., there has been during the last couple of decades in the area
of financial management a development of widely adopted de facto principles
and practices, such as budgeting and accounting practices. The systematicity
(i.e. systematic approach) of the quality management including quality
assurance, has attained a very well established and internationally
standardized position through the widely known and used ISO 9000 standards.
These standardized quality management principles have impact on all
the business areas of organizations, including information management
and information security. The experiences gained through quality management
also provide ample opportunities to learn from and utilize in the
area of information security.
Relevant issues with respect to the success of a particular area
of management, such as information security management include:
- Integration, i.e. no distinct management system is created for that
particular area, but the management procedures relevant to it are
realized as integral parts of the overall business leadership and
management system (see figure 1).
- Consistency, i.e. the various measures needed for the management
of that particular area are mutually congruent and compatible.
Figure 1: Consistent elements of Information Security Management (ISM)
and Information Security Assurance (ISA) integrated with business
management (BM). ISM covers the whole BM. ISA is a part of ISM.
Correspondingly, if distinct management approaches upheld by different
organizational (typically support) units and experts should originate
for different management responsibilities, this will sooner or later
generally entail negative effects to the business as a whole. In this
context it is common that one hears talk about such-and-such a system,
for example of an information security system or quality management
system. In order to avoid negative effects, it would be better to
talk rather about the systematicity of information security instead
of an information security system. In this case systematicity (or
systematic approach) would refer to including the "flavor"
of information security in all actual business management practices.
If distinct management areas are allowed to become overly emphasized
due to their independence and distinctness, a common consequence of
this is also conflicts occurring between these different areas (see
figure 2), for instance in connection with prioritizing and resourcing
various initiatives and projects. Such conflicts relate especially
to two management levels of a company:
- the general manager, because his or her commitment in all areas
is required and
- business processes, because one wants to make an impact and be effectively
taken into account in key business process operations.
Fragmentary management also often entails inefficiency in the utilization
of a company's information basis and in information-based leadership.
Such a situation might even result in an uncontrolled situation which
as such may also have negative effects on information security. A
futile competitive situation between different specialized doctrines
can be avoided only if a company has a sufficiently solid leadership
system of its own, one which enables it to utilize all those expert-doctrines
which have proved to be useful, based on its own deliberations.
Figure 2: Possible conflicts of specialized management areas
The reason why the integration of information security management
has often not taken place effectively could be the fact that a company's
own leadership system has not yet taken shape to a sufficient degree,
resulting in the lack of points to "grasp onto". It might
also be the case that information security issues are delegated too
much to experts only, who will then create their own special systems,
even by emphasizing their own position. Moreover, many concepts and
basic principles of information security are foreign and difficult
to understand to busy business managers.
Business management has new challenges
Traditionally the systematic managerial actions are related to business
system and its organizational structure, business environments, stakeholders
(interested parties), business performance and targets, management
and leadership, technology, products (goods and services), business
processes, work and "employeeship", customs and customers,
and company culture. Now there are fundamental changes in all these
issues when organizations are operating in e-business environments.
Only two examples that, however, are very central issues for information
security are considered here, the concepts of organization and management.
These both concepts have very changed states of reference in e-business
compared with the traditional business environments. Corporations
have changed into virtual business communities whose borders are rather
vague. Nobody is any more managing this kind of complex organizational
entity but there are many individual actors with different roles and
performance options depending on access, reach, and control characteristics
of the actors. This all means that remarkable innovations are necessary
also in information security thinking and practices. All information
security related concepts are still relevant but their substance and
realizations could be understood in a new way.
Effective management of the business information and knowledge is
crucial for business success. Simultaneously also information security
is a business management issue that cannot be carried out only by
All the products consisting of goods and services are developed, produced
and delivered through interlinked business processes. Both products
and processes are today very strongly information and knowledge content.
Knowledge may be explicit or implicit (tacit). The biggest and most
important part is tacit knowledge involved with human beings operating
with the business processes.
Effective and efficient process management can be seen as a core issue
for realizing information security in practical business environments.
Of course, the necessary prerequisite is that one must be familiar
with the concepts, principles, and practices of both professional
information security management and business process management.
Basic requirements for information security relate to integrity, availability,
and confidentiality, as well as authenticity and authority aspects
especially when using the means of electrical communication. In business
environments these requirements can genuinely be fulfilled only through
consistent management of the business processes and their activities.
According to recognized international authorities, information security
implies the following comprehensive management related issues:
- Security policy
- Security organization
- Asset classification and controls
- Personal security
- Physical and environmental security
- Computer and network management
- System access control
- System development and maintenance
- Business continuity planning
- Compliance management
In fact, these all issues are very strongly related to business management
decisions and actions (a strategic viewpoint), and business process
management practices (an operational viewpoint).
Realizing the integration of information
It is impossible to define clearly and unequivocally where the border-line
of ISM to the business management (BM) goes (see figure 1). As a matter
of fact, ISM stretches across the entire BM area of operations, due
to the fact that all decisions and measures (whether they are in fact
undertaken or not) made by the leadership have either direct or indirect,
positive or negative impact also on the realization of ISM.
In practice, the integration of information security issues with
business management approaches takes place at two levels:
- The strategic level, where one makes decisions and undertakes measures
concerning the entire business and considers especially the future
competitiveness of the company and management of the whole business
- The operational level, where decisions and measures concerning daily
and case-wise management are made and undertaken.
The most important tasks of leadership on the both levels are planning,
control, and (continual step-by-step) business improvement, which
should all be realized in a systematic way and in accordance with
a company's leadership practices. Integration of information security
will not take place effectively and efficiently unless information
security issues have been included into these normal leadership tasks.
In integrating information security practices, it is extremely important
to manage appropriately the business processes of the company. This
is because, in practice (operationally), information security originates
from processes, that means from process-related activities and information
flows between these activities (see figure 3). Thus, information security
is affected directly in real time through process arrangements, tools,
and people in practical work.
Fig. 3. Information security is realized in the activities and information
flows of business processes (e.g. order/delivery process).
Real responsibility even relating to the management of specialized
issues, including information security, lies always with business
leaders, at the strategic level with the general manager and business
area managers, and at the operational level with process owners. This
responsibility cannot be delegated to experts or externalized to external
inspectors or consultants. The task of experts such as information
security directors or managers is to provide expert support, e.g.
the facilitation of particular approaches and improvement topics through
the utilization of professional tools.
It is essential with respect to the efficient realization and continual
improvement of all issues and means concerning information security
that within a company,
- the leading principles of the issue are clear and well-known,
- effective and efficient means (approaches, procedures, methods,
tools, and theories) are available and used, and
- there is an innovative management and leadership atmosphere and
In fact, continual improvement means a learning process covering
the whole organization. It is possible and really a big challenge
in every company but it requires a comprehensive approach including:
- sensibility and awareness to new solutions
- changing beliefs and attitudes
- training and educating new skills and competences
Assuring information security in order
to build confidence in external parties
The aim of ISM is to internally forward the business needs of a company.
In addition to such internal motives, one also needs measures directed
at parties external to the company, such as customers or regulatory
authorities, the purpose of which is to increase confidence towards
the company's information security abilities and solutions. All these
measures can be referred to as Information Security Assurance (ISA)
analogously to the well known standardized Quality Assurance (QA)
principles and practices.
In practical company-level realizations both ISM and ISA should be
consistently paired approaches. This can be realized effectively in
practice only if the same approaches at the basis of the ISM intended
for the company's internal use are also the underpinning of ISA (see
figures 1 and 4). Thus, the foundation of information security assurance
consists of real procedures in business processes and it is realized
through the way in which these are communicated to external parties.
Information security assurance can be systematically realized with
the help of a concrete information security assurance plan.
Figure 4: Information security assurance (ISA) is based on activities
of business management. The key issue of assurance is communication.
Evaluation and continual improvement
of information security management
It is important to be aware of, i.e. evaluate, the real information
security situation of a company with respect to both ISM and ISA.
As a matter of fact, information security is a fuzzy concept (see
figure 5). This implies, that an overly simplified dichotonic situation
- implying that there either is or isn't information security in the
company is not a fruitful approach. Information security always has
to do with levels of development and differences in degree. This also
entails an essential feature of information security, which is that
it is always possible to continuously improve it. Moreover, it is
also always worth investing in it appropriately.
Figure 5: Information security is a matter of degree and can be always
In information security assessments one can look at the entire business,
which means that it is a strategic assessment, or one can examine
particular business processes and their parts, in which case the evaluation
is more operational in nature. In both cases it is necessary that
the assessments focus on both real operations and the concrete results
reached through them. Through an assessment one can, and also should,
bring into view the company's real
- strengths, i.e. how do we differ from others, our competitors, on
the basis of factual information, and
- weaknesses, i.e. how do the facts indicate something which prevents
or hampers us from using our strengths in a competitive manner.
With the help of an appropriate assessment methodology one can also
gain a quantitative assessment result (numerical scoring) to indicate
the company's developmental status and maturity concerning ISM. It
is also appropriate that the assessment creates recommendations and
initiatives pertaining to the continual improvement of the situation.
The assessments, and improvement measures based on these, include
information on appropriate comparative references (own goals, competitors,
and the best in other industries) and learning from existing best
practices of other organizations, i.e. benchmarking.
When assessing a company's business performance, strength in management
- an effective and systematic approach that is responsive to the information
security requirements, that is deployed without significant weaknesses
or gaps in any areas of the company
- a strong, fact-based and systematic evaluation/improvement process,
and extensive organizational learning as key management tools, as
well as strong refinement and integration, and all those backed by
company-level analysis and sharing
- an approach that is fully integrated with identified business needs
Correspondingly strength in the results obtained by the management
- excellent level of performance in the areas of importance to the
company's business requirements
- strong improvement trends and good sustained performance levels
in the key areas of business
- evidence of industry and benchmark leadership demonstrated in key
- business results that address key customer, market, process, and
action plan requirements
Fulfilling these strength-criteria completely denotes performance
excellence. However, many companies are still on anecdotal or beginning
levels (see figure 5).
Assessments can be made by the first-party (the company itself),
by a second party (customer), or a third party (organization independent
from the first two parties). It is crucially important that the company's
own leadership self-assesses alongside business management and commences
improvement measures based on such assessment. One can also present
a first, second, or third party certificate on the basis of an assessment
(or an audit), indicating how certain assessment criteria are met.
Third party certificates have often had an overly emphasized significance.
There is ample evidence especially from the field of quality management,
that one cannot in reality assure quality (or information security)
on the basis of such certificates. Focusing on certificates has also
easily had a decelerating or damaging effect on striving towards continual
improvement in realizing performance excellence.
Excellence of information security
as an objective
When operating in a competitive business situation, the only possible
goal of a company is performance excellence, because only on this
basis can long-term competitiveness be realized. The goal of superiority
should also be focused on information security management ISM and
information security assurance ISA. In this case it is not enough
to merely comply with certain external standardized requirements.
Comprehensive information security management with performance excellence
as its goal calls for the systematic development of approaches as
well as their effective and efficient implementation into practice
and continuous assessment, and improvement measures at various levels
of the organization.
1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol2, edited by J H P Eloff and R von Solms, (Vienna, Budapest: IFIP
WG11.2 September 1998)
2. J Anttila: "Business process management, a core issue of implementation
of information security" In Information security and law. Current
issues of information security, edited by A Saarenpää (Rovaniemi:Laplands
3. J Anttila: "Business Integrated e-Quality - Innovative opportunity
for modern advanced organizations", EOQ Conference proceedings
(Harrogate UK: EOQ and IQA 2002)
4. A code of practice for information security management, (London:
Department of trade and industry, DISC PD003, British standards institution
5. Information technology security evaluation criteria (ITSEC), (Brussels,
Luxenbourg: ECSC-EEC-EAEC 1991)
6. J. Kajava and M. T. Siponen, "Security management and organizations
- bottom up or top down approach?" In Proceedings of Nordic Workshop
on Secure Computer Systems (NORDSEC '96), edited by E. Jonsson, (Gothenburg:
SIG Security and Chalmers University of Technology, Department of
Computer Engineering November 1996)
7. J Anttila and J Vakkuri: "ISO 9000 for the Creative Leader",
(Helsinki: Sonera Corporation 2001)
8. J Anttila, J Vakkuri: "Good Better Best" (Helsinki: Sonera
9. ISO 9000:2000, Quality management standards, (Geneve: International
Standardization Organization ISO 2000)
[This text was presented as a paper at IPICS Winter School at the
University of Oulu, Finland in March 2003]