Information Security Management

2009 ◽  
pp. 675-681
Author(s):  
Mariana Hentea
Keyword(s):  
Information Security ◽  
Information Assurance ◽  
Security Management ◽  
Management Model ◽  
Information Security Management ◽  
Security Controls ◽  
Security Models ◽  
Emerging Trends ◽  
Design Selection ◽  
Training Habits

Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.

Information security in supply chains: a management control perspective

2015 ◽  
Vol 23 (5) ◽  
pp. 476-496 ◽  
Author(s):  
Sindhuja P N ◽  
Anand S. Kunnathur
Keyword(s):  
Supply Chain ◽  
Information Security ◽  
Organizational Context ◽  
Security Management ◽  
Management Control ◽  
Organizational Level ◽  
Information Security Management ◽  
Content Type ◽  
Security Controls ◽  
Management Controls

Purpose – This paper aims to discuss the need for management control system for information security management that encapsulates the technical, formal and informal systems. This motivated the conceptualization of supply chain information security from a management controls perspective. Extant literature on information security mostly focused on technical security and managerial nuances in implementing and enforcing technical security through formal policies and quality standards at an organizational level. However, most of the security mechanisms are difficult to differentiate between businesses, and there is no one common platform to resolve the security issues pertaining to varied organizations in the supply chain. Design/methodology/approach – The paper was conceptualized based on the review of literature pertaining to information security domain. Findings – This study analyzed the need and importance of having a higher level of control above the already existing levels so as to cover the inter-organizational context. Also, it is suggested to have a management controls perspective for an all-encompassing coverage to the information security discipline in organizations that are in the global supply chain. Originality/value – This paper have conceptualized the organizational and inter-organizational challenges that need to be addressed in the context of information security management. It would be difficult to contain the issues of information security management with the existing three levels of controls; hence, having a higher level of security control, namely, the management control that can act as an umbrella to the existing domains of security controls was suggested.

Information Security Management

2008 ◽  
pp. 350-357 ◽  
Author(s):  
Mariana Hentea
Keyword(s):  
Information Security ◽  
Security Management ◽  
Virtual Private Networks ◽  
Product Lines ◽  
Information Security Management ◽  
Security Technologies ◽  
Detection Systems ◽  
Security Controls ◽  
Security Infrastructure ◽  
Management Capabilities

Information security management is the framework for ensuring the effectiveness of information security controls over information resources to ensure no repudiation, authenticity, confidentiality, integrity and availability of the information. Organizations need a systematic approach for information security management that addresses security consistently at every level. However, the security infrastructure of most organizations came about through necessity rather than planning, a reactive-based approach as opposed to a proactive approach (Gordon, Loeb & Lucyshyn, 2003). Intrusion detection systems, firewalls, anti-virus software, virtual private networks, encryption and biometrics are security technologies in use today. Many devices and systems generate hundreds of events and report various problems or symptoms. Also, these devices may all come at different times and from different vendors, with different reporting and management capabilities and—perhaps worst of all—different update schedules. The security technologies are not integrated, and each technology provides the information in its own format and meaning. In addition, these systems across versions, product lines and vendors may provide little or no consistent characterization of events that represent the same symptom. Also, the systems are not efficient and scalable because they rely on human expertise to analyze periodically the data collected with all these systems. Network administrators regularly have to query different databases for new vulnerabilities and apply patches to their systems to avoid attacks. Quite often, different security staff is responsible and dedicated for the monitoring and analysis of data provided by a single system. Security staff does not periodically analyze the data and does not timely communicate analysis reports to other staff. The tools employed have very little impact on security prevention, because these systems lack the capability to generalize, learn and adapt in time.

scholarly journals Integralaus informacijos saugumo valdymo modelio taikymas Lietuvos valstybės institucijoms

2012 ◽  
Vol 61 ◽  
pp. 31-58
Author(s):  
Saulius Jastiuginas
Keyword(s):  
Information Security ◽  
Security Management ◽  
Management Model ◽  
Information Security Management ◽  
Normative Documents ◽  
State Institutions ◽  
Evaluation Approach ◽  
Expert Interview ◽  
New Instrument ◽  
Security Management Model

Pirmieji informacijos saugumą reglamentuojantys dokumentai Lietuvoje patvirtinti prieš 15 metų. Pirmasis informacijos saugumo strateginis dokumentas taip pat jau pradėjo skaičiuoti antrą dešimtmetį. Nuolat kintantis informacijos saugumo praktinis problematikos laukas lėmė ne vieną šių dokumentų atnaujinimo iteraciją bei nemažai informacijos saugumo stiprinimo veiklų. Dauguma šių veiklų apsiribojo techninių ir administracinių priemonių taikymo nustatymu bei formalizavo atsakomybes, susijusias su informacijos saugumu, užtikrinimą.Vertinant tiek globalų, tiek Lietuvos informacijos saugumo valdymo mokslinių tyrimų kontekstą galima pastebėti, kad šalia ilgą laiką vyravusios technologinių sprendinių taikymo problematikos ryškėja aktualūs žmogiškieji, ekonominiai ir kiti klausimai, kyla platesnio vadybinio požiūrio poreikis ir tampa akivaizdu, kad esamos praktinės informacijos saugumo valdymo priemonės nebėra pakankamos informacijos saugumui valdyti. Sprendžiant šią problemą, kaip nauja priemonė galėtų būti pagalbus teorinis integralus informacijos saugumo valdymo modelis, sujungiantis informacijos saugumo valdymo ir informacijos vadybos dedamąsias.Šio straipsnio tikslas – aptarti atliktą teorinio integralaus informacijos saugumo valdymo modelio praktinio pritaikomumo tyrimą. Praktinio pritaikomumo tyrimas atliekamas vertinat informacijos saugumo valdymą Lietuvos valstybės institucijose. Straipsnyje aptariamam tyrimui buvo keliami šie uždaviniai: suformuoti informacijos saugumo valdymo Lietuvos valstybės institucijose vertinimo prieigą; atlikti atvejo analizę – dokumentų turinio analizės metodu išnagrinėti teisės aktų bazėse ir Lietuvos valstybės institucijų svetainėse skelbiamus norminius dokumentus, reglamentuojančius informacijos saugumo valdymą; gautus analizės rezultatus pagrįsti kokybiniu tyrimu – ekspertų apklausa.Straipsnyje pateikti tyrimų rezultatai leido patvirtinti integralaus informacijos saugumo valdymo modelio pagrįstumą, įvertinti informacijos saugumo valdymą Lietuvos valstybės institucijose, identifikuoti trūkumus, pateikti praktinio problemų sprendimo siūlymus ir sukurti prielaidas tolesniems moksliniams tyrimams.Straipsnis parengtas remiantis dokumentų turinio analizės, lyginamosios analizės, dokumentiniu atvejo tyrimo, kokybinio tyrimo (ekspertų apklausos) ir apibendrinimo metodais.Pagrindiniai žodžiai: informacijos saugumo valdymas, integralus informacijos saugumo valdymo modelis, Lietuvos valstybės institucijos.Integral information security management model for Lithuanian state institutionsSaulius JastiuginasSummaryThe information security management research analysis shows that for a long time the technological solutions of research problems have dominated, but lately more relevant have become the human, economic and other issues, and there is a need for a more managerial approach. It is obvious that the current practice of information security management tools is no longer adequate for information security management. As a new instrument to address this problem, a theoretical integral information security governance model could be used. It combines the information security management and information management tools.The article aims to discuss empirical study as a theoretical integral information security management model that could be applied in practice. The practical applicability of the model was checked in in the Lithuanian state institutions. The paper discusses the study which has the following objectives: development of information security management in the Lithuanian state institutions evaluation approach, analysis of a case – the content analysis method to examine the legislative databases published in normative documents concerning information security management and proving the results through qualitative research (expert interview).The paper presents the research results which confirm the validity of the integral theoretical information security management model and allows to assess information security management in the Lithuanian state institutions, to identify the shortcomings, to make suggestions for practical problem-solving and create conditions for the further research.

Information Security Management

2011 ◽  
pp. 390-395
Author(s):  
Mariana Hentea
Keyword(s):  
Information Security ◽  
Security Management ◽  
Virtual Private Networks ◽  
Product Lines ◽  
Information Security Management ◽  
Security Technologies ◽  
Detection Systems ◽  
Security Controls ◽  
Security Infrastructure ◽  
Management Capabilities

Information security management is the framework for ensuring the effectiveness of information security controls over information resources to ensure no repudiation, authenticity, confidentiality, integrity and availability of the information. Organizations need a systematic approach for information security management that addresses security consistently at every level. However, the security infrastructure of most organizations came about through necessity rather than planning, a reactive-based approach as opposed to a proactive approach (Gordon, Loeb & Lucyshyn, 2003). Intrusion detection systems, firewalls, anti-virus software, virtual private networks, encryption and biometrics are security technologies in use today. Many devices and systems generate hundreds of events and report various problems or symptoms. Also, these devices may all come at different times and from different vendors, with different reporting and management capabilities and—perhaps worst of all—different update schedules. The security technologies are not integrated, and each technology provides the information in its own format and meaning. In addition, these systems across versions, product lines and vendors may provide little or no consistent characterization of events that represent the same symptom. Also, the systems are not efficient and scalable because they rely on human expertise to analyze periodically the data collected with all these systems. Network administrators regularly have to query different databases for new vulnerabilities and apply patches to their systems to avoid attacks. Quite often, different security staff is responsible and dedicated for the monitoring and analysis of data provided by a single system. Security staff does not periodically analyze the data and does not timely communicate analysis reports to other staff. The tools employed have very little impact on security prevention, because these systems lack the capability to generalize, learn and adapt in time.

Sign in / Sign up

Export Citation Format

Share Document