Information Security Management

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch027 ◽

2008 ◽

pp. 350-357 ◽

Cited By ~ 1

Author(s):

Mariana Hentea

Keyword(s):

Information Security ◽

Security Management ◽

Virtual Private Networks ◽

Product Lines ◽

Information Security Management ◽

Security Technologies ◽

Detection Systems ◽

Security Controls ◽

Security Infrastructure ◽

Management Capabilities

Information security management is the framework for ensuring the effectiveness of information security controls over information resources to ensure no repudiation, authenticity, confidentiality, integrity and availability of the information. Organizations need a systematic approach for information security management that addresses security consistently at every level. However, the security infrastructure of most organizations came about through necessity rather than planning, a reactive-based approach as opposed to a proactive approach (Gordon, Loeb & Lucyshyn, 2003). Intrusion detection systems, firewalls, anti-virus software, virtual private networks, encryption and biometrics are security technologies in use today. Many devices and systems generate hundreds of events and report various problems or symptoms. Also, these devices may all come at different times and from different vendors, with different reporting and management capabilities and—perhaps worst of all—different update schedules. The security technologies are not integrated, and each technology provides the information in its own format and meaning. In addition, these systems across versions, product lines and vendors may provide little or no consistent characterization of events that represent the same symptom. Also, the systems are not efficient and scalable because they rely on human expertise to analyze periodically the data collected with all these systems. Network administrators regularly have to query different databases for new vulnerabilities and apply patches to their systems to avoid attacks. Quite often, different security staff is responsible and dedicated for the monitoring and analysis of data provided by a single system. Security staff does not periodically analyze the data and does not timely communicate analysis reports to other staff. The tools employed have very little impact on security prevention, because these systems lack the capability to generalize, learn and adapt in time.

Download Full-text

Information Security Management

Encyclopedia of Multimedia Technology and Networking, Second Edition ◽

10.4018/978-1-60566-014-1.ch091 ◽

2009 ◽

pp. 675-681

Author(s):

Mariana Hentea

Keyword(s):

Information Security ◽

Information Assurance ◽

Security Management ◽

Management Model ◽

Information Security Management ◽

Security Controls ◽

Security Models ◽

Emerging Trends ◽

Design Selection ◽

Training Habits

Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.

Download Full-text

Information security in supply chains: a management control perspective

Information and Computer Security ◽

10.1108/ics-07-2014-0050 ◽

2015 ◽

Vol 23 (5) ◽

pp. 476-496 ◽

Cited By ~ 2

Author(s):

Sindhuja P N ◽

Anand S. Kunnathur

Keyword(s):

Supply Chain ◽

Information Security ◽

Organizational Context ◽

Security Management ◽

Management Control ◽

Organizational Level ◽

Information Security Management ◽

Content Type ◽

Security Controls ◽

Management Controls

Purpose – This paper aims to discuss the need for management control system for information security management that encapsulates the technical, formal and informal systems. This motivated the conceptualization of supply chain information security from a management controls perspective. Extant literature on information security mostly focused on technical security and managerial nuances in implementing and enforcing technical security through formal policies and quality standards at an organizational level. However, most of the security mechanisms are difficult to differentiate between businesses, and there is no one common platform to resolve the security issues pertaining to varied organizations in the supply chain. Design/methodology/approach – The paper was conceptualized based on the review of literature pertaining to information security domain. Findings – This study analyzed the need and importance of having a higher level of control above the already existing levels so as to cover the inter-organizational context. Also, it is suggested to have a management controls perspective for an all-encompassing coverage to the information security discipline in organizations that are in the global supply chain. Originality/value – This paper have conceptualized the organizational and inter-organizational challenges that need to be addressed in the context of information security management. It would be difficult to contain the issues of information security management with the existing three levels of controls; hence, having a higher level of security control, namely, the management control that can act as an umbrella to the existing domains of security controls was suggested.

Download Full-text

Composition of the Top Management Team and Information Security Breaches

Standards and Standardization ◽

10.4018/978-1-4666-8111-8.ch067 ◽

2015 ◽

pp. 1436-1455

Author(s):

Carol Hsu ◽

Tawei Wang

Keyword(s):

Information Security ◽

Average Length ◽

Top Management Team ◽

Security Management ◽

Top Management Teams ◽

Management Team ◽

Top Management ◽

Information Security Management ◽

Security Breaches ◽

Security Technologies

Given the multifaceted problems and complexities of information security, the manner in which top management teams make investment and management decisions regarding security technologies, policy initiatives, and employee education could have a significant impact on the likelihood of information security breaches in organizations. In the context of information security management, it is not clear from management literature regarding how the characteristics of the top management team are associated with the possibility of information security breaches. The results demonstrate that the average length and heterogeneity of tenure could increase the possibility of breaches. However, age heterogeneity and the size of the top management team are negatively related to such a possibility. In addition, the findings suggest a nonlinear association between average age and tenure and the possibility of security breaches. The authors conclude the chapter with theoretical and practical implications on the organizational and managerial aspects of information security management.

Download Full-text

Composition of the Top Management Team and Information Security Breaches

Advances in Digital Crime, Forensics, and Cyber Terrorism - Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance ◽

10.4018/978-1-4666-6324-4.ch008 ◽

2015 ◽

pp. 116-134 ◽

Cited By ~ 1

Author(s):

Carol Hsu ◽

Tawei Wang

Keyword(s):

Information Security ◽

Average Length ◽

Top Management Team ◽

Security Management ◽

Top Management Teams ◽

Management Team ◽

Top Management ◽

Information Security Management ◽

Security Breaches ◽

Security Technologies

Given the multifaceted problems and complexities of information security, the manner in which top management teams make investment and management decisions regarding security technologies, policy initiatives, and employee education could have a significant impact on the likelihood of information security breaches in organizations. In the context of information security management, it is not clear from management literature regarding how the characteristics of the top management team are associated with the possibility of information security breaches. The results demonstrate that the average length and heterogeneity of tenure could increase the possibility of breaches. However, age heterogeneity and the size of the top management team are negatively related to such a possibility. In addition, the findings suggest a nonlinear association between average age and tenure and the possibility of security breaches. The authors conclude the chapter with theoretical and practical implications on the organizational and managerial aspects of information security management.

Download Full-text

About the Comparison of Information Security Systems for Asymptotic Information Security Management of Critical Information Infrastructures

Proceedings of Telecommunication Universities ◽

10.31854/1813-324x-2020-6-3-66-74 ◽

2020 ◽

Vol 6 (3) ◽

pp. 66-74

Author(s):

S. Erokhin ◽

A. Petukhov ◽

P. Pilyugin

Keyword(s):

Information Security ◽

Security Management ◽

Order Relation ◽

Security Systems ◽

Information Security Management ◽

Critical Information ◽

Information Infrastructures ◽

Building Information ◽

Management Capabilities ◽

Control Implementation

The article discusses the security management capabilities of critical information infrastructures. It discusses approaches to developing security policies that don’t lean on assessing residual risks and identifying a fixed list of threats. We examine the possibility of building information security management systems based on monitoring of security events. A formal description of security events as well as relevant protection methods is proposed. The paper introduces an order relation for information security systems comparison and asymptotic CII security control implementation.

Download Full-text

A novel approach for improving information security management and awareness for home environments

Information and Computer Security ◽

10.1108/ics-05-2020-0073 ◽

2020 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Fayez Ghazai Alotaibi ◽

Nathan Clarke ◽

Steven M. Furnell

Keyword(s):

Information Security ◽

Security Management ◽

Real Data ◽

Real Problem ◽

Main Concept ◽

Information Security Management ◽

Content Type ◽

Security Controls ◽

Real Environment ◽

Home Users

Purpose The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time consuming. This paper aims to propose an approach that attempts to propose a system for improving security management and awareness for home users. Design/methodology/approach The proposed system is capable of creating and assigning different security policies for different digital devices in a user-friendly fashion. These assigned policies are monitored, checked and managed to review the user’s compliance with the assigned policies to provide bespoke awareness content based on the user’s current needs. Findings A novel framework was proposed for improving information security management and awareness for home users. In addition, a mock-up design was developed to simulate the proposed approach to visualise the main concept and the functions which might be performed when it is deployed in a real environment. A number of different scenarios have been simulated to show how the system can manage and deal with different types of users, devices and threats. In addition, the proposed approach has been evaluated by experts in the research domain. The overall feedback is positive, constructive and encouraging. The experts agreed that the identified research problem is a real problem. In addition, they agreed that the proposed approach is usable, feasible and effective in improving security management and awareness for home users. Research limitations/implications The proposed design of the system is a mock-up design without real data. Therefore, implementing the proposed approach in a real environment can provide the researcher with a better understanding of the effectiveness and the functionality of the proposed approach. Practical implications This study offers a framework and usable mock-up design which can help in improving information security management for home users. Originality/value Improving the security management and awareness for home users by monitoring, checking and managing different security controls and configurations effectively are the key to strengthen information security. Therefore, when home users have a good level of security management and awareness, this could protect and secure the home network and subsequently business infrastructure and services as well.

Download Full-text

Aligning Two Specifications for Controlling Information Security

International Journal of Cyber Warfare and Terrorism ◽

10.4018/ijcwt.2014040104 ◽

2014 ◽

Vol 4 (2) ◽

pp. 46-62

Author(s):

Riku Nykänen ◽

Tommi Kärkkäinen

Keyword(s):

Information Security ◽

Security Management ◽

Security Requirements ◽

Information Security Management ◽

Security Controls ◽

Information Security Management System ◽

Security Control ◽

High Level ◽

Iec 27001 ◽

Iec 27002

Assuring information security is a necessity in modern organizations. Many recommendations for information security management exist, which can be used to define a baseline of information security requirements. ISO/IEC 27001 prescribes a process for an information security management system, and guidance to implement security controls is provided in ISO/IEC 27002. Finnish National Security Auditing Criteria (KATAKRI) has been developed by the national authorities in Finland as a tool to verify maturity of information security practices. KATAKRI defines both security control objectives and security controls to meet an objective. Here the authors compare and align these two specifications in the process, structural, and operational level, focusing on the security control objectives and the actual controls. Even if both specifications share the same topics on high level, the results reveal the differences in the scope and in the included security controls.

Download Full-text