The Framework and 1

Running Head: The Framework and Principles of Information Security Management

TUI UNIVERSITY

Module 1 – Case Assignment

Course #: ITM517

Information Security Overview for Managers and Policy Makers

 The Framework and 2

Introduction

Information is a valuable asset in any organization, whether it is printed or written on

paper, stored electronically or sent by mail or electronic means (British Standards Institution,

2009). Industry and consumers alike recognize the need for information security – consumers

from the viewpoint of keeping their information private and businesses from the perspective of

its importance to long-term growth of the IT sector (Wright et al., 2008). To effectively manage

the threats and risks to an organization's information, the organization should establish a

framework of information security management. This paper discusses the importance of a

framework of information security management, then states how a framework differs from

information security and concludes with an overview of some information security principles.

The Framework of Information Security Management: Today’s economy highly

depends on the secure flow of information within and across organizations; therefore,

information security is of paramount importance. A secure and trusted environment for stored

and shared information greatly enhances consumer benefits, business performance and

productivity, and national security (Conner et al., n.d). In an effort to achieve such goals the

Business Software Alliance (BSA) task force identified four findings: 1) government has already

established a significant legislative and regulatory regime around IT security, and is considering

additional action; 2) information security is often treated solely as a technology issue, when it

should also be treated as a governance issue; 3) there is already broad consensus on the actions

necessary to remedy the problem; and 4) lack of progress is due in part to the absence of a

governance framework (Conner et al., n.d).

Congress and state governments have already passed into law several bills that govern

how companies must address information security issues. Some of these include Sarbanes-Oxley
 The Framework and 3

Act of 2002, Gramm-Leach-Bliley Act of 1999, Health Insurance Privacy and Accountability

Act and many more.

In looking at the growing abundance of rules, regulations, and guidelines, it quickly

becomes clear that information security is not solely a technical issue, but a corporate
governance challenge. Information security responsibility is too often delegated to the
chief information officer or the chief security officer, who suffer conflicting demands
with regard to IT functionality and costs and who may not be in a position to leverage the
resources and authority necessary to address the problem across multiple business lines or
divisions. To make real progress, firms must address information security, not solely as a
technology issue, but as a matter of “corporate best practices” (covering people,
processes, and technology) and frame solutions in terms that are broadly relevant to
business operations (Conner et al., n.d).

There is already broad consensus on the actions necessary to remedy the problem.

A review of literature shows that most guidance documents and other reports recommend a

common solution and support the approach reflected in ISO 17799 and the Federal Information

Security Management Act (FISMA) (Conner et al., n.d).

With all these measures in place, why are organizations still not successful in obtaining

effective information security? The conclusion of the BSA task force is that a vital piece of the

puzzle is still missing -- an information security governance framework that private industry can

readily adopt (Conner et al., n.d). What is needed is a framework that specifies what corporate

executives, business unit heads, senior managers, and CIOs/CISOs should do; that identifies

business drivers, clarifies roles and responsibilities, recognizes commonalities and defines

metrics; and that is flexible enough to apply to different business models (Conner et al., n.d). An

example is outlined on page 6. The horizontal axis identifies different management levels while

the vertical axis identifies the business drivers, responsibilities, and metrics.

The framework poses three sets of questions, with regard to information security: The

first set of questions identifies the drivers behind security objectives – drivers that will be

different for different businesses and industries. For example, is the driver a market condition
 The Framework and 4

such that a company will experience significant brand erosion in the event of a cyber attack? The

second question refers to the programs and processes to be put in place to accomplish

organizational security objectives. These programs are common to almost all organizations. The

last set of questions focuses on assessing risk, measuring the effectiveness of security controls,

and making improvements as necessary (Conner et al., n.d).

Framework of Information Security Management vs. Information Security: The

framework of information security management (FISM) is different from information security.

Information security is protecting information from unauthorized access, use, disclosure,

disruption, modification and destruction; while FISM is that and much more. Information

security alone is not good enough. As the BSA task force discovered, several measures were

already in place yet proper security was not achieved, what was missing was governance FISM.

The Data Mining Corporation (DMC) discussed in the article “The Illusion of Security”

is a perfect example of a corporation that has tight information security. The security is so tight

that even the employees are given location implants. The company collects data about

individuals from hundreds of sources and then sells the aggregated data back to many of those

sources (Wright et al., 2008). Despite the high level of security at DMC, three of its employees

were still able to steal and run off with some very important information which eventually

publicly disgraced the highly trusted secured corporation. DMC can hardly believe that its many

security measures—video surveillance, biometrics, key-logging software, access control

measures, regular audits, employee implants and so on—could fail (Wright et al., 2008). DMC

had very good information security measures in place, but did it have an effective FISM? It is

obvious that DMC security was highly dependent on technology. FISM however, does not treat

security as solely a technical issue, but also as a governance issue. In this manner the information
 The Framework and 5

security duties of all upper level managers are clearly outlined. For example, even in the

profiling of employees the HR manager at DMC would apply the principles of the FISM to

ensure that the staff employed can be trusted.

Principle of Managing Information Security: Along with a framework of information

security, management organizations also need to practice good information security management

principles in order to optimize information security. For optimum security, organizations should

consider the following principles: security polices should be created, communicated,

implemented, endorsed, monitored, and enforced across the organization; every member of an

organization should be made aware of the importance of information security and be trained in

good security practices; there should be proper access controls to make certain only identified

and authorized users with a legitimate need can access information and system resources;

security should be consider throughout the system life cycle; monitoring, auditing, and reviewing

system activities should be a routine and regular function and business continuity plans must be

tested regularly and updated (Conner et al., n.d).

Conclusion

Despite legislative and technological measures that are already in place to achieve

information security, an organization will not achieve optimum security until an effective FISM

is established. An effective framework specifies what corporate executives, business unit heads,

senior managers, and CIOs/CISOs should do; that identifies business drivers, clarifies roles and

responsibilities, recognizes commonalities and defines metrics; and that is flexible enough to

apply to different business models (Conner et al., n.d). Implementing the best security

technology does not guarantee security as was demonstrated in the case of DMC. An effective

framework that practices good information security principles is much more effective.
 The Framework and 6

Toward a Framework for Action on Information Security Governance

Actors\Actions Corporate Business Unit Head Senior Manager CIO/CISO

Executives
Governance/Business What am I required to do? / What am I afraid not to do?
Drivers
These tend to be sector Legislation, ROI Standards, policies, Standards, audit Security policies,
or budgets results security
organization-specific.) operations, and
resources
Roles and How do I accomplish my objectives?
Responsibilities
(These tend to be • Oversight and • Provide • Provide security
• Develop, maintain,
generic coordination of information for and
across industries and policies security protection information and ensure compliance
organizations.) • Oversight of commensurate systems to
business unit with • Periodic program
compliance the risk and assessments of • Designate security
• Compliance business impact. assets and their officer
reporting • Provide security associated risks with primary duties
• Actions to training • Determine level of
and training
enforce • Develop the Security • Develop required
accountability controls appropriate policies to
environment and • Implement policies
support security
activities and program
• Report on procedures to and business unit
effectiveness of cost effectively specific needs
policies, reduce risk to • Develop information
procedures acceptable levelsuse and
and practices • Periodic test of categorization plan
security • Assist senior
and controls managers with
their security
responsibilities
• Conduct security
awareness
Metrics/Audit How effectively do I achieve my objectives? What adjustments do I need to make?
(These tend to be Financial Policy violations, Risk assessment and Security awareness
sector or reporting, misuse of assets, impact analysis, effectiveness, incident
organization-specific.) monetizing losses, internal control control response and impact
conforming to violations environment analysis, security
policies activities, program
remedial actions, effectiveness,
policy and information
procedure integrity, effects on
compliance, information processing
security and control
test
results
 The Framework and 7

Reference

British Standards Institution. (2009). Information security management. Retrieved January 14,

2010 from http://www.bsigroup.com/en/Assessment-and-certification-

services/management-systems/Business-areas/Information-Security-Management/

Conner, B., Noonan, T., Holleyman, R. (n.d). Information security governance: toward a

framework for action. Business Software Alliance. Retrieved January 12, 2010 from

http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04C

BD9D76460B4BED0E67.ashx

Wright, D., Friedewald, M., Schreurs, W., Verlinden, M., Gutwirth, S., Punie, Y., Maghiros, I.,

Vildjiounaite, E., Alahuhta, P. (2008). The illusion of security. Communications of the

ACM, Vol. 51 Issue 3, p56-63. Retrieved January, 2010 from TUI library.

http://delivery.acm.org/10.1145/1330000/1325567/p56-wright.pdf?key
1=1325567&key2=6585826321&coll=GUIDE&dl=GUIDE&CFID=24785424&CFTOK
EN=490 09685

Sipior, J., Ward, B. (2008). A framework for information security management based on guiding

standards: A United States perspective. Issues in Informing Science and Information

Technology Volume 5. Retrieved January 13, 2010 from

http://proceedings.informingscience.org/InSITE2008/IISITv5p051-060Sipior491.pdf