Implementation of Information Security Principles
Dave Carlson - February 1, 2008
Most aspects of business are influenced by information systems. Because information systems are so critical to the successful creation and sustainment of today’s business environment, it is imperative that business leaders implement effective information security principles and policies. The most important factor to build a successful information security system is support from top management. Additionally, all members of the organization need to be aware of security concerns and the policies established to deal with those concerns, since the best protection mechanisms within an organization are its members. The organization must identify specific information security risks and have detailed procedures in place to manage those risks. Organization members must be trained to respond appropriately if risks become cyber terrorist security incidents.
Implementation of Information Security Principles
Most aspects of business are influenced by information and telecommunication systems. Lieutenant General Hayden, Director of the National Security Agency from March 1999 to April 2005, stated that the global telecommunications revolution was “probably the most dramatic revolution in human communications since Gutenberg’s invention of movable type” (Janczewski & Colarik, 2005, p. x). Because information systems are critical to sustaining today’s business environment, it is imperative that business leaders embrace information security principles.
Role of Security Awareness
Wulgaert (2005) proposed that two groups of people need to be aware of security: 1) “every member of an organization, from the mailroom staff to the CEO” and 2) “every other individual that potentially has access to the organization’s information” (p. 10). Information security awareness includes not only all members of an organization, but also anyone who (physically or logically) accesses the organization’s information.
The most important factor to build a successful information security system is support from top management (Janczewski & Colarik, 2005, p. 14). Because it is not possible for top management to directly manage every aspect of a complex organization, Jaczewski and Colarik (2005) proposed that it is important to appoint a security manager to oversee the implementation of an information security system (p. 15). It becomes the responsibility of the security manger to ensure all members of the organization are aware of security concerns, since “the best protection mechanisms within an organization are its employees” (Janczewski & Colarik, 2005, p. 127).
Importance of Information Security
In 2002, a survey of 300 of the biggest companies in Australia revealed that “computer crime is no longer just a nuisance value, but a serious threat to customer relationships and ultimately bottom line profitability” (Janczewski & Colarik, 2005, p. 9). More recently, a 2006 survey of nearly 1,200 organizations in 48 countries revealed that most organizations still need to continue making additional improvements in information security. The Ernst & Young survey concluded that information security has become “increasingly more essential not only to securing global business operations, but also to long-term competitive success” (van Kessel, 2006, p. 36).
Issues Related to Information Security
Janczewski and Colarik (2005) presented the following information security issues:
Risk Management and Information Security
- Identification, authentication, and access control. Establish rules about how to identify persons and systems attempting to access an information system. Determine which system resources should be made available to a given person or system.
- Personnel security. Create a security-conscious atmosphere within an organization and carefully vet all applicants and employees.
- Operations security management. Introduce rules to govern daily preventive measures within an organization to prevent and respond to security incidents.
- Information security policy. Develop an overall strategy for dealing with information security issues, including possible cyber attacks.
- Business continuity planning. Establish specific procedures for recovering from an incident which disrupts information systems, including training organization members to handle emergency procedures (p. 217).
A 2006 survey of more than 1,200 organizations from 48 countries revealed that more than two thirds of the respondents incorporated risk management principles into their management activities (van Kessel, 2006, p. 10).
Unfortunately, that same survey discovered that less than half of the respondents integrated information risk management into their risk management activities (van Kessel, 2006, p. 14). The results of this survey are both encouraging and disturbing. While it is encouraging to note that most organizations surveyed embraced risk management, it is disturbing that most of the organizations surveyed filed to integrate information risk management, “the most significant part of building an overall protection plan for a business” (Janczewski & Colarik, 2005, p. 48).
The National Institute of Standards and Technology offered the following definitions related to risk management.
Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. (Stoneburner, Goguen, & Feringa, 2002, p. 1)
Janczewski and Colarik (2005) suggested that threat analysis is the most difficult part of identifying an information security risk (p. 52) . The two reasons this analysis is so difficult is that 1) many risks are rare in certain circumstances, making it difficult to estimate the probability of the event happening and 2) an organization may not have anyone trained to perform the risk analysis (Janczewski & Colarik, 2005, p. 52). Even though the threat analysis portion of risk management is difficult, effective risk management related to information security is critical to successful execution of global business strategies today (van Kessel, 2006, p. 9).
Business leaders must implement effective information security principles and ensure organization members are aware of the importance of information security. The organization must identify information security risks and have procedures in place to manage those risks. Finally, members must be trained to respond appropriately if risks become security incidents.
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Stoneburner, G., Goguen, A, and Feringa, A. (2002). Risk management guide for information technology systems: Recommendations of the National Institute of Standards and Technology. Special publication 800-30. Retrieved February 1, 2008 from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
van Kessel, P. (2006). Achieving success in a globalized world: Is your way secure? 2006 Global Information Security Survey by Ernst & Young. Retrieved February 1, 2008 from http://www.ey.com/Global/assets.nsf/Austria/Global_Information_Security_Survey_06/$file/GISS-Global%20Information%20Security%20Survey06.pdf
Wulgaert, T. (2005). Security awareness: Best practices to secure your enterprise. Rolling Meadows, IL: ISACA.