Juhani
Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland
www.QualityIntegration.biz
MANAGING AND ASSURING INFORMATION SECURITY
IN INTEGRATION WITH THE BUSINESS MANAGEMENT OF A COMPANY
Abstract
Total information security management in a company - or in any organization
whatsoever - is composed of Information Security Management (ISM)
in line with the company's business objectives and of Information
Security Assurance (ISA) aimed to create confidence in external parties,
customers, authorities, etc. A difficulty in practical company cases
has been the fact that information security practices have been viewed
as distinct of business and as measures implemented especially by
information security professionals. These have often been regarded
as superfluous and even annoying issues. As a solution to such problems,
the paper at hand puts forward the idea of integrating information
security seamlessly with the business. Information security measures
should not be established as an information security system distinct
and separate from the business management of a company. In practice,
such a system may even prove to be harmful. Information security management
cannot be realized only through experts internal to the company nor
merely on the basis of external assurance.
The ISO 9000 standards pertaining to quality management and quality
assurance are based on a very broad international consensus, and they
can also be made good use of in managing information security in companies.
After all, information security is a sub-section of the concept of
quality. Simultaneously one also has the opportunity to apply even
more effectively various other broadly utilized quality management
principles and tools concerning the continuous improvement of company
performance also in the area of information security.
The necessity of integration, the harmfulness
of separate management systems
Information security in a company is the end result of numerous details
and subactivities. The management of all these impacting factors,
so that the results of information security forward the aims of the
company, is called Information Security Management (ISM). Information
security management is integrally linked with Business Management
(BM).
In order to be able to utilize all the impacting factors concerning
the realization of information security, a comprehensive approach
is required for its practical implementation. If this is not possible,
the implementation will contain loopholes and the overall situation
is typically contingent on its weakest links. Another danger is partial
optimization, in which some factors may be overemphasized without
them being able to bring about the desired results effects to the
wholeness. All of these, however, always entail costs.
Information security management is fully analogous to the management
of many other areas important to a company. These include, for example,
- finances,
- quality,
- business risks,
- human resource development,
- information management,
- occupational health and safety factors,
- environmental protection,
- communications,
- etc.
All these various areas have very differently established practices.
For instance, in the area of financial management the last couple
of decades have seen a development of widely adopted de facto principles
and practices, such as budgeting and accounting practices. The systematicity
of total quality management, i.e. quality management and quality assurance,
has attained a very well established and internationally standardized
position through the widely known and used ISO 9000 standards. In
this connection, the expression 'ISO 9000 phenomenon' is even used.
Because total quality management is currently perceived comprehensively,
the standardized principles related to it have spread to all the business
areas of organizations, including information management and information
security. The experiences gained through total quality management
also provide ample opportunities to learn from and utilize in the
area of information security.
All the aforementioned cases concern particular areas of a company's
business management. The following are relevant issues with respect
to the success of a particular area of management, such as information
security management:
- Integration, i.e. no distinct management system is created for a
particular area, but the management procedures relevant to it are
realized as integral parts of the overall business leadership and
management system (see figure 1).
- Consistency, i.e. the various measures needed in the management
of these different areas are mutually congruent and compatible.
Fig. 1. Consistent elements of information security management (ISM)
and information security assurance (ISA) integrated with business
management (BM).
Correspondingly, if distinct management approaches upheld by different
organizational units (support units) and experts should originate
in different areas, this will sooner or later generally entail negative
effects to the whole. In this connection it is common that one hears
talk about such-and-such a system, for example of an information security
system or quality system. In order to avoid negative effects, it would
be better to talk rather about the systematicity of information security
instead of an information security system. In this case systematicity
(or systematic approach) would refer to including the "flavor"
of information security in actual business management practices.
If distinct management areas are allowed to become overly emphasized
due to their independence and distinctness, a common consequence of
this is also collisions occurring between these different areas (see
figure 2), for instance in connection with prioritizing and resourcing
various initiatives and projects. Such collisions concern especially
two management levels of a company:
- the CEO, because his or her commitment in all areas is desired and
- business processes, because everyone wants to make an impact and
be effectively taken into account in key business process operations.
Fig. 2. Collisions of specialized management areas
Fragmentary management approaches often entail inefficiency in the
utilization of a company's information basis and in information-based
leadership. Such a situation might even result in a chaotic situation
which as such may also have negative effects on information security.
A futile competitive situation between different doctrines can be
avoided only if a company has a sufficiently solid leadership system
of its own, one which enables it to utilize all those doctrines which
have proved to be useful, based on its own deliberations.
The reason why the integration of information security management
has often not taken place effectively could be the fact that a company's
own leadership system has not yet taken shape to a sufficient degree,
resulting in the lack of points to "grasp onto". It might
also be the case that information security issues are delegated too
broadly to experts, who will then create their own special systems,
even by emphasizing their own position. Moreover, many concepts and
basic principles of inforamtion security are foreign to business managers.
Realizing the integration of information
security management
It is impossible to define clearly and unequivocally where the border-line
of ISM to BM goes (see figure 1). As a matter of fact, ISM stretches
across the entire BM area of operations, due to the fact that all
decisions and measures (whether they are in fact undertaken or not)
made by the leadership have either a direct or indirect, positive
or negative impact also on the realization of ISM.
In practice, the integration of information security issues with management
approaches takes place at two levels:
- The strategic level, where one makes decisions and undertakes measures
concerning the entire business and considers especially the future
competitiveness of the company and management of the whole.
- The operative level, where decisions and measures concerning daily
management are made and undertaken.
With respect to the above, one can also talk about:
- vertical integration, which includes company-wide leadership systematics,
the activities of the top leadership, and organization - especially
the entirety of key business processes, resourcing, the systematicity
relating to measures and indicators applied in the entire organization,
measuring, and analysis, and
- horizontal integration, which includes business process activities
for the realization of products (including services), i.e. marketing,
sales, product development, production, delivery, etc.
The most important tasks of leadership are planning, control, and
(continual step-by-step) improvement, which should all be realized
in a systematic way and in accordance with a company's leadership
practices. Integration of information security will not take place
unless information security elements have been included into these
normal leadership tasks.
In integrating information security practices, it is important to
manage effectively the process systematics of the company in question.
This is because, in practice (operationally), information security
originates from processes, that is in process-related activities and
information flows between these activities (see figure 3) as the company
realizes products and its business in practice. Thus, information
security is affected directly in real time through process arrangements,
tools, and people in practice.
Fig. 3. Information security is realized in the activities and information
flows of business processes (e.g. order/delivery process).
Real responsibility even in the management of special areas, including
information security, lies always with business leaders, at the strategic
level with the CEO and business area managers, and at the operational
level with process owners. This responsibility cannot be delegated
to experts or externalized to external inspectors or consultants.
The task of experts such as information security executives or managers
is to provide expert support, e.g. the facilitation of particular
approaches and improvement topics through the utilization of professional
tools.
It is essential with respect to the efficient realization and continual
improvement of all issues and means concerning information security
that in the company in focus,
- the leading principles of the issue are clear and well-known,
- effective and efficient means (approaches, procedures, methods,
and tools) are available, and
- the company has an innovative corporate and leadership atmosphere
and infrastructure.
Because information security issues are naturally a part of company-wide
quality management (QM), one can apply the quality management principles
(QMP) at the basis of the ISO 9000 standards also in connection with
ISM. Quality management principles refer to a broad, versatile, and
fundamental rule (practice, guidance, guideline) or understanding
(belief, confidence) for the leadership and practices of a company.
Its purpose is to continuously improve long-term performance by focusing
on customers in balance with the needs of also other stakeholders.
Eight such quality management principles have been defined in the
ISO 9000 standards:
- Principle 1: Customer focus
Organizations depend upon their customers, which is why one should
understand both the current and future needs of customers, meet their
requirements, and strive to exceed their expectations.
- Principle 2: Leadership
The leadership creates the unity of purpose and the direction of an
organization. It should also create an atmosphere in which people
are fully involved in striving towards and thus strongly committed
to reaching the organization's objectives.
- Principle 3: Participation of people
People - at all levels of the organization - are the core issue of
the organization. Once everyone is fully involved through strong commitment,
skills and capabilities are brought into use for the organization.
- Principle 4: Process-like business
Objectives and goals are reached more efficiently when interconnected
resources and procedures are managed as an entity - as a process.
- Principle 5: System-based leadership approach, i.e. managing issues
as a system
Recognizing, understanding, and managing a system consisting of interdependent
processes in order to reach a certain objective improves an organization's
effectiveness and results-orientation.
- Principle 6: Continual improvement
Continual improvement is the perpetual goal of an organization.
- Principle 7: Fact-based decisions
Effective decisions are based on analyzing information and facts.
- Principle 8: Partnership relations with suppliers
An organization and its suppliers are dependent on one another and
reciprocally beneficial relations help both parties
Taking all the above principles into account also in information security
management promotes the natural integration of the issue into business.
One should consider in each and every company how these principles
are taken into account in realizing information security.
Assuring information security in order
to build confidence of external parties
The aim of information security management is to internally forward
the business needs of a company. In addition to such internal motives,
one often also needs measures directed at parties external to the
company, such as customers or authorities, the purpose of which is
to increase confidence towards the company's information security
realizations. All of these are generally referred to as Information
Security Assurance (ISA) analogously to Quality Assurance (QA), the
principles and practices of which have been defined in detail and
discussed in the ISO 9000 standards.
Fig. 4. An element for information security management (see fig. 1)
aims at both company’s internal business purposes (i.e. information
security management, ISM) and external customers’ confidence
purposes (i.e. information security assurance, ISA).
In practical company-level realizations both ISM and ISA should be
mutually compatible and consistent. This can be realized effectively
in practice only if the same approaches at the basis of the ISM intended
for the company's internal use are also the underpinning of ISA (see
figure 4). Thus, the foundation of information security assurance
consists of real procedures in business processes and it is realized
through the way in which these are communicated to external parties
(see figure 5).
Fig. 5. Information security assurance (ISA) is based on activities
of business management.
Information security assurance can be systematically realized with
the help of a special information security assurance plan (cf. the
quality assurance plan defined in the ISO 10005 standard). On the
basis of this, one can also draw up an information security agreement
with a customer, if needed.
Evaluation and continuous improvement
of information security management
It is important to be aware of, i.e. evaluate, the real information
security situation of a company with respect to both information security
management and assurance. As a matter of fact, information security
is a fuzzy concept (see figure 6). This implies, that an overly simplified
ON/OFF evaluation - implying that there either is (ON) or isn't (OFF)
information security in the company - concerning information security
is not a fruitful approach. Information security always has to do
with levels of development and differences in degree. This also entails
an essential feature of information security, which is that it is
always possible to continuously improve it. Moreover, it is also always
worth investing in it appropriately.
Fig. 6. Fuzziness of companys’ information security management:
- membership curve of companys’ information security maturity
- information security is a matter of degree and can be always improved
Concerning integration, it is appropriate that information security
be also taken into account when assessing business performance comprehensively.
With respect to improvement measures, it is appropriate that an evaluation
of the degree of information security be reached. In information security
assessments one can look at the entire business, which means that
it is a strategic assessment, or one can examine particular processes
and their parts, in which case the evaluation is more operational
in nature. In both cases it is necessary that the assessments focus
on both real activities and the concrete results reached through them.
Through an assessment one can, and also should, bring into view the
company's real
- strengths, i.e. how do we differ from others, our competitors, on
the basis of factual information, and
- weaknesses, i.e. do the facts indicate something which prevents
or hampers us from using our strengths in a competitive manner.
With respect to examining the results, it would be worthwhile if
the measuring systematics or Balanced Scorecard (BSC) intended for
business management also included ISM measures and/or indicators important
to the business. After all, otherwise information security is not
an important strategic issue in practical leadership.
With the help of an appropriate assessment system one can also gain
a numerical assessment result (see figures 7 and 8) to indicate the
company's developmental status and maturity concerning ISM. It is
also appropriate that the assessment reach recommendations and initiatives
pertaining to the continual improvement of the situation. The assessments,
and improvement measures based on these, include knowledge of appropriate
comparison targets (own goals, competitors, and the best in other
industries) and learning from existing best practices, i.e. benchmarking.
Fig. 7. A comprehensive evaluation of a company’s information
security management (approach/deployment and results)
Fig. 8. Scoring principles for the evaluation of information security
management of a company or other organization entity
Assessments can be made by the so-called first-party (the company
itself), by a second party (customer), or a third party (organization
independent from the first two parties). It is crucially important
that the company's own leadership self-assesses alongside business
management and commences improvement measures based on such assessment.
One can also present a first, second, or third party certificate on
the basis of an assessment (or an audit), indicating how certain assessment
criteria are met. Third party certificates have often had an overly
emphasized significance. There is ample evidence especially from the
field of quality management, that one cannot in reality assure quality
(nor information security) on the basis of such certificates. Focusing
on certificates has also easily had a decelerating or damaging effect
on striving towards continual improvement in realizing performance
excellence. Neither can information security assurance measures or
certificates be considered as management tools for information security.
However, when used correctly, certificates can also contribute to
information security assurance.
Excellence of information security
as an objective
When functioning in a competitive situation, the only possible goal
of a company is performance excellence, because only on this basis
can long-term competitiveness be realized. The goal of superiority
should also be focused on information security management. In this
case it is not enough to merely comply with certain external requirements.
Comprehensive information security management with performance excellence
as its goal calls for the systematic development of approaches as
well as their effective and efficient implementation into practice
and continuous assessment, and improvement measures at various levels
(see figure 8).
References
1. Drafts for the revised ISO 9000:2000 standards, International
Standardization Organization ISO, Geneve 1998
2. Malcolm Baldrige National Quality Award, 1998 Award Criteria, National
Institute for Standards and Technology, Washington 1997
3. Anttila, Juhani & Vakkuri, Jorma: Does it pay to be good? Telecom
Finland Ltd, Helsinki 1997
[This text was presented as a seminar paper at the IFIP WG 11.2 &
11.2 seminar on a Donau boat in Hungary in September 1998]
