|
Juhani
Anttila
INTEGRATING INFORMATION SECURITY MANAGEMENT
WITH AN ORGANIZATION'S QUALITY-FOCUSED AND PROCESS-BASED BUSINESS
MANAGEMENT Abstract Managing information security in all kinds of organizations in modern business environments is confronted with big challenges. Existing situation is not satisfactory. Treats of hostile attacks and grievances affecting organizations' major business aspirations seem to develop faster that implementing solutions. Reacting measures are emphasized instead of proactive approach. Business leaders are not motivated - and they have no time - to delve into complicated and very specialized information security questions. Information security experts' position and possibilities to contribute and influence in business management decisions and realizations are very limited. Very often when organizations are practicing their down-sizing plans the information security expertise is being outsourced. This development is causing superficiality or apparent solutions in managing information security. The significance of information security is however being increased especially related to the extensive use of information technology. Competitiveness and success of the companies is based on right business related information on time. Correspondingly wrong, incorrect or even manipulated information, as well as missing information may cause serious business risks. Continuous and efficient exchange of information is a necessity between all stakeholders including customers, employees, shareholders, suppliers, business partners, and the great public. This paper is to consider the following topics: With this approach we may avoid the difficulties in the existing practices of information security management. Understanding organizational information security performance The general pragmatic approach to information as a concept addresses that genuine information makes it possible to an individual or an organization to act in a new meaningful way. Information can be genuine only if it is tried and justified in real operation. Thus, information is a basis of all kinds of communities and its practical operation. Information can never be objective. Basic concepts characterizing security of the information consist
of: Additionally authenticity (information is authentic, trustworthy, or genuine) and authority (one has right to use the information) aspects are significant especially when using the means of electrical communication. In organizational environments the information security characteristics relate to all interactions and transactions of an organization with all its stakeholders (or interested parties) (see figure 1). In fact, today all organizations operate in many kinds of networks. Information security is primarily a category of features of organization's products (goods and services) - a product being in general defined as any kind of output from the organization. Products are generated and delivered by organizations'business processes. Therefore also the organizational information security is originated in business processes although it is manifested in organization's products. Thus, it is motivated to talk about information security as an aspect in organization's overall business performance. Mutual and multilateral transactions between an organization and
its stakeholders are aimed at generating added-value to the partners.
Transactions may take place between individuals or technical equipment,
e.g. information systems. In addition to the intended transactions
and products there are also always very likely taking place unintended
events and even hostile transactions in organizations' networks. In modern business environments both the number and variety of stakeholders
has increased and communication between them has increased, intensified,
diversified, and speeded up tremendously due to global telecom networks
and services. Also organization-dedicated internal networks are tightly
linked with the public networks. Large part of organizations' internal
and external information is confidential at least to some stakeholders. Managing organizational information security performance Information security is one of the organization's managerially interested
issues because it is significant and in many cases even crucial issue
from the business realization and competitiveness point of view. In
this sense management of information security is fully analogous to
many other specialized areas important to an organization's business
performance and success. These areas include: In all these areas organizations it is useful for the organization
to get benefits using established and recognized management approaches
and practices. Also information security management may be defined
according to the general definition of management as coordinated activities
to direct and control an organization with regard to information security.
That means that information security management is a responsibility
of the business leaders.
Top business leaders (senior executives) are responsible of the breakthrough improvements. Control, prevention, and small step improvement should be carried our by the responsibility of operational managers. There are no excuses why control, prevention, small step improvements, and breakthrough improvements were not relevant also in the field of information security management. General managerial practices and means can be used but also professional information security expertise should be incorporated. This means a close and effective cooperation of business leaders and information security experts. Integrating information security management into the business management Information security practices in organizations have often been implemented as distinct initiatives apart from business management and primarily by information security professionals. This is not any natural approach and has been regarded even annoying. Information security in any organization is achieved effectively and efficiently only if it is realized as an organic element of organization's business strategies and operations. That is the essence of integration. Integration requires that actual responsibility for the information security lies always with the business leaders, at the strategic level with the general manager and business area managers, and at the operational level with process owners. This responsibility cannot be delegated to security experts or externalized to outside inspectors or consultants. The task of experts such as information security directors or managers is to provide expert support, e.g. the facilitation of particular approaches and improvement topics through the utilization of suitable professional tools. Integration implies that no distinct management system, "Information Security Management System", is created for managing information security, but the management procedures relevant to it are realized as essential parts of the overall business leadership and management system. Thus, information security management is integrally embedded with business management actions. It is impossible to define clearly and unequivocally where the border-line
of the information security management to business management goes.
As a matter of fact, information security management stretches across
the entire business management area, due to the fact that all decisions
and measures (whether they are in fact undertaken or not) made by
the top management have direct or indirect, positive or negative impact
also on the realization of information security. Understanding key issues and significance of process-based business management and its relationships to information security management In integrating information security practices, it is extremely important
to understand information security issues in the context of business
processes. This is because, in practice (operationally), information
security originates from processes, that means from process-related
activities and information flows between these activities (see figure
3). Thus, information security is affected directly in real time through
process arrangements, tools, and people in practical work that are
affected by an appropriate and systematic process management practice. Strategic decisions and their implementation take place in organization's strategic management process. In order to get established remarkable information security related solutions within an organization this topic should be considered in the strategic management process in a systematic and effective way and using appropriate methodology (i.e. managerial tools). As a whole there are a lot of recognized principles and practices how to manage business processes. Information security experts should use these possibilities for developing means to manage security of the organizational business information. Encouraging the use of the well-known and recognized principles and practices of business-integrated quality management in managing information security Information security management is fully analogous with the quality management that has attained a very well established and internationally standardized position already during several decades e.g. through the widely known and used ISO 9000 standards. These standardized quality management principles and practices have impact on all business areas of organizations, including information management and information security areas. The experiences gained through quality management also provide ample opportunities to learn from and utilize in the area of information security. This learning may be strengthened by using systematic benchmarking methodology. Quality management is a very general concept that in practice means
equal to the quality of management (see figure 4). Quality focus in
an organization implies striving for fulfilling all needs and expectations
of organization's all stakeholders (interested parties) including
security aspects in operations and products. Quality focused business
management is particularly based on the effective and efficient management
of business processes. An important principle of quality management is that the organization should provide assurance to its customers and other stakeholders that it has all necessary abilities to realize all the relevant requirements. All these measures to inspire and strengthen customers' and other stakeholders' confidence in the organization are called quality assurance. Analogically also similar information security assurance is needed for stakeholders' confidence. Information security assurance is naturally a sub-domain of information security management. Very recently also in the information security management context references have been made to the ISO 9000 standards. E.g. well-known standard BS 7799-2 is now applying ISO 9000 approach and framework. This standard also tries using the process approach and the PDCA cycle model. However, it has not succeeded very well in applying these principles and there is lack of clarity and a lot of shortcomings in the standard text. Conclusions Business related importance of information security and simultaneously also the related threats are continually increasing. Requirements for a consistent organization-wide information security management and assurance have become multidimensional and more difficult. New innovative solutions should be available. However, there has not been any practical remarkable breakthrough development in the principles, practices or tools of the information security management. Also the existing standards are at the same status. In order to get genuine strengthened influence to the development,
there should be drawn a seamless connection between the information
security responsibility and related actions and business management.
That is actual requirement in all kinds of organizations and should
include: This is the approach for an integrated information security management. References 1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol. 2, edited by J H P Eloff and R von Solms, (Vienna, Budapest:
IFIP WG11.2 September 1998)
|
|
|
|
|
|
