Venture Knowledgist Quality Integration
INTEGRATING INFORMATION SECURITY MANAGEMENT
WITH AN ORGANIZATION'S QUALITY-FOCUSED AND PROCESS-BASED BUSINESS
Managing information security in all kinds of organizations in modern
business environments is confronted with big challenges. Existing
situation is not satisfactory. Treats of hostile attacks and grievances
affecting organizations' major business aspirations seem to develop
faster that implementing solutions. Reacting measures are emphasized
instead of proactive approach. Business leaders are not motivated
- and they have no time - to delve into complicated and very specialized
information security questions. Information security experts' position
and possibilities to contribute and influence in business management
decisions and realizations are very limited. Very often when organizations
are practicing their down-sizing plans the information security expertise
is being outsourced. This development is causing superficiality or
apparent solutions in managing information security.
The significance of information security is however being increased
especially related to the extensive use of information technology.
Competitiveness and success of the companies is based on right business
related information on time. Correspondingly wrong, incorrect or even
manipulated information, as well as missing information may cause
serious business risks. Continuous and efficient exchange of information
is a necessity between all stakeholders including customers, employees,
shareholders, suppliers, business partners, and the great public.
This paper is to consider the following topics:
- Providing a sound understanding of the organizational information
security conceptually and practically
- Managing information security performance in a consistent way in
- Integrating information security management seamlessly into the
business management system of the organization
- Understanding key issues and significance of process-based business
management and its relationships to information security management
- Encouraging the use of the well-known and recognized principles
and practices of business-integrated quality management in managing
With this approach we may avoid the difficulties in the existing
practices of information security management.
Understanding organizational information
The general pragmatic approach to information as a concept addresses
that genuine information makes it possible to an individual or an
organization to act in a new meaningful way. Information can be genuine
only if it is tried and justified in real operation. Thus, information
is a basis of all kinds of communities and its practical operation.
Information can never be objective.
Basic concepts characterizing security of the information consist
- integrity - information that one is using for his/her actions is
- availability - one has access to the relevant information when and
so long it is needed
- confidentiality - information one is using is not manipulated by
Additionally authenticity (information is authentic, trustworthy,
or genuine) and authority (one has right to use the information) aspects
are significant especially when using the means of electrical communication.
In organizational environments the information security characteristics
relate to all interactions and transactions of an organization with
all its stakeholders (or interested parties) (see figure 1). In fact,
today all organizations operate in many kinds of networks. Information
security is primarily a category of features of organization's products
(goods and services) - a product being in general defined as any kind
of output from the organization. Products are generated and delivered
by organizations'business processes. Therefore also the organizational
information security is originated in business processes although
it is manifested in organization's products. Thus, it is motivated
to talk about information security as an aspect in organization's
overall business performance.
Mutual and multilateral transactions between an organization and
its stakeholders are aimed at generating added-value to the partners.
Transactions may take place between individuals or technical equipment,
e.g. information systems. In addition to the intended transactions
and products there are also always very likely taking place unintended
events and even hostile transactions in organizations' networks.
Figure 1. Information security is valid in an organizational context.
Information security is manifested in products but originated in the
In modern business environments both the number and variety of stakeholders
has increased and communication between them has increased, intensified,
diversified, and speeded up tremendously due to global telecom networks
and services. Also organization-dedicated internal networks are tightly
linked with the public networks. Large part of organizations' internal
and external information is confidential at least to some stakeholders.
Managing organizational information
Information security is one of the organization's managerially interested
issues because it is significant and in many cases even crucial issue
from the business realization and competitiveness point of view. In
this sense management of information security is fully analogous to
many other specialized areas important to an organization's business
performance and success. These areas include:
- business risks,
- human resource development,
- information management,
- occupational health and safety factors,
- environmental protection,
In all these areas organizations it is useful for the organization
to get benefits using established and recognized management approaches
and practices. Also information security management may be defined
according to the general definition of management as coordinated activities
to direct and control an organization with regard to information security.
That means that information security management is a responsibility
of the business leaders.
Very similar principles and methodology may be used in all specialized
management areas including information security. A well-known general
model for all kinds of management is so called Deming or Shewhart
cycle (see figure 2). This model describes how a consistent management
consists of four consecutive activities:
- P: Planning the business activities what should be done and what
results should be achieved
- D: Doing the business obligations according to the plans
- C: Checking what was done and what results achieved
- A: Acting rationally taking into account the observations and results
of the checking
Figure 2. PDCA model for management (so called Deming / Shewhart model)
and its application in strategic and operational business management
In organizational environments the PDCA model may and should be applied
in three different scopes:
- Control: Managing daily operations in business processes in order
to achieve the specified results of the doing. Normally rectifying
nonconformities is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems,
preventing nonconformities, and finding / implementing operational
step by step improvements in business processes. (For continual improvement
one can also use a well-known concept "Kaizen")
- Breakthrough improvements: Innovating and implementing fundamental
strategically significant changes in the way doing business
Top business leaders (senior executives) are responsible of the breakthrough
improvements. Control, prevention, and small step improvement should
be carried our by the responsibility of operational managers.
There are no excuses why control, prevention, small step improvements,
and breakthrough improvements were not relevant also in the field
of information security management. General managerial practices and
means can be used but also professional information security expertise
should be incorporated. This means a close and effective cooperation
of business leaders and information security experts.
Integrating information security management
into the business management
Information security practices in organizations have often been implemented
as distinct initiatives apart from business management and primarily
by information security professionals. This is not any natural approach
and has been regarded even annoying. Information security in any organization
is achieved effectively and efficiently only if it is realized as
an organic element of organization's business strategies and operations.
That is the essence of integration.
Integration requires that actual responsibility for the information
security lies always with the business leaders, at the strategic level
with the general manager and business area managers, and at the operational
level with process owners. This responsibility cannot be delegated
to security experts or externalized to outside inspectors or consultants.
The task of experts such as information security directors or managers
is to provide expert support, e.g. the facilitation of particular
approaches and improvement topics through the utilization of suitable
Integration implies that no distinct management system, "Information
Security Management System", is created for managing information
security, but the management procedures relevant to it are realized
as essential parts of the overall business leadership and management
system. Thus, information security management is integrally embedded
with business management actions.
It is impossible to define clearly and unequivocally where the border-line
of the information security management to business management goes.
As a matter of fact, information security management stretches across
the entire business management area, due to the fact that all decisions
and measures (whether they are in fact undertaken or not) made by
the top management have direct or indirect, positive or negative impact
also on the realization of information security.
At employee or operator level, integration places stress on information
security awareness within individuals and working teams and focused
to their working tasks. However, the responsibility its development
belongs to the business leaders, and security experts have an important
role in training and education.
Understanding key issues and significance of process-based business
management and its relationships to information security management
In integrating information security practices, it is extremely important
to understand information security issues in the context of business
processes. This is because, in practice (operationally), information
security originates from processes, that means from process-related
activities and information flows between these activities (see figure
3). Thus, information security is affected directly in real time through
process arrangements, tools, and people in practical work that are
affected by an appropriate and systematic process management practice.
Figure 3. An organization and its comprehensive system of business
processes interfacing with the stakeholders. Information security
is realized in practice in the business process activities and information
flows between the activities and processes.
Strategic decisions and their implementation take place in organization's
strategic management process. In order to get established remarkable
information security related solutions within an organization this
topic should be considered in the strategic management process in
a systematic and effective way and using appropriate methodology (i.e.
As a whole there are a lot of recognized principles and practices
how to manage business processes. Information security experts should
use these possibilities for developing means to manage security of
the organizational business information.
Encouraging the use of the well-known and recognized principles and
practices of business-integrated quality management in managing information
Information security management is fully analogous with the quality
management that has attained a very well established and internationally
standardized position already during several decades e.g. through
the widely known and used ISO 9000 standards. These standardized quality
management principles and practices have impact on all business areas
of organizations, including information management and information
security areas. The experiences gained through quality management
also provide ample opportunities to learn from and utilize in the
area of information security. This learning may be strengthened by
using systematic benchmarking methodology.
Quality management is a very general concept that in practice means
equal to the quality of management (see figure 4). Quality focus in
an organization implies striving for fulfilling all needs and expectations
of organization's all stakeholders (interested parties) including
security aspects in operations and products. Quality focused business
management is particularly based on the effective and efficient management
of business processes.
Figure 4. Approaching quality of a management system according to
the principles of ISO 9000 standards. Quality of a management system
is defined as degree to which a set of inherent characteristics of
a management system fulfils needs and expectations of organization's
stakeholders. Information security management is integrated with this
An important principle of quality management is that the organization
should provide assurance to its customers and other stakeholders that
it has all necessary abilities to realize all the relevant requirements.
All these measures to inspire and strengthen customers' and other
stakeholders' confidence in the organization are called quality assurance.
Analogically also similar information security assurance is needed
for stakeholders' confidence. Information security assurance is naturally
a sub-domain of information security management.
Very recently also in the information security management context
references have been made to the ISO 9000 standards. E.g. well-known
standard BS 7799-2 is now applying ISO 9000 approach and framework.
This standard also tries using the process approach and the PDCA cycle
model. However, it has not succeeded very well in applying these principles
and there is lack of clarity and a lot of shortcomings in the standard
Business related importance of information security and simultaneously
also the related threats are continually increasing. Requirements
for a consistent organization-wide information security management
and assurance have become multidimensional and more difficult. New
innovative solutions should be available. However, there has not been
any practical remarkable breakthrough development in the principles,
practices or tools of the information security management. Also the
existing standards are at the same status.
In order to get genuine strengthened influence to the development,
there should be drawn a seamless connection between the information
security responsibility and related actions and business management.
That is actual requirement in all kinds of organizations and should
- strategic management to consider organizations' performance as a
- operational management of business processes, and
- positive development in information security awareness and skills
of the employees.
This is the approach for an integrated information security management.
1. J Anttila, "Managing and assuring information security in
integration with business management of a company" In Information
security. Small systems security & information security management.
Vol. 2, edited by J H P Eloff and R von Solms, (Vienna, Budapest:
IFIP WG11.2 September 1998)
2. J Anttila: "Business process management, a core issue of implementation
of information security" In Information security and law. Current
issues of information security, edited by A Saarenpää (Rovaniemi:Laplands
University 2002) (In Finnish)
3. J Anttila: "Business Integrated e-Quality - Innovative opportunity
for modern advanced organizations", EOQ Conference proceedings
(Harrogate UK: EOQ and IQA 2002)
4. BS 7799-2, Information security management systems. Specification
with guidance for use, (London: DISC Board, The Standards Policy and
Strategy Committee, 2002)
5. J Anttila and J Vakkuri: "ISO 9000 for the Creative Leader",
(Helsinki: Sonera Corporation, 2001)
6. ISO 9000, Quality management standards, (Geneve: International
Standardization Organization ISO 2000)
7. M Walton, "The Deming management method", (New York:
The Putnam Publishing Company, 1986)
8. S Shiba, "Evolution of quality: From control to breakthrough
TQM", In Quality - A critical factor in the past, present and
future. Vol. 1, (Trondheim: EOQ 1997)
[This text was presented as a paper at IPICS Winter School at the
University of Oulu, Finland in March 2005]