IT Security is a very vast domain of activities and is a critical topic for companies relying heavily on their IT infrastructure to operate, manage and communicate. As the interconnectivity is exponentially increasing including between corporations, governments, … the exposure to a new variety of risk is also growing and same new threats and vulnerabilities are now raising accordingly. This leads all IT dependent entities (governments, corporations, …) to get a greater awareness and understanding of what IT security means and also review plans to address this new challenge that could heavily damage reputation, security and therefore the objectives of the said entity. Boyce and Jennings (2002) confirm this by stating that Information Assurance or managing IT Security is a “defense that provides a means of protecting the organization’s Critical Objects and achieving a state of risk that is acceptable to the organization’s management”.
Before moving to the cultural aspect of IT Security, let us define what IT security is. To achieve this, it is necessary to have a look at the bigger picture to know where IT Security is coming from. The logical way of looking at this is to refer to a standard globally recognized framework: the one from the Information Systems Audit and Control Association (ISACA) who developed COBIT. “COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks.
COBIT enables clear policy development and good practice for IT control throughout enterprises. ” (ISACA 2009). This framework shows IT Security as part of the overall Information Risk Management function that holistically encompasses all Information aspects and not only the IT part. Boyce and Jennings (2002) do support that statement as well as for them IT risks management is part of the overall Information Assurance framework.
In this environment and looking at different sources, the common denominator could be found in BusinessDictionary.com (2012) i.e. “Safe-guarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity”, it has also to be highlighted that there are trends to add other attributes to the CIA (Confidentiality, Integrity and Availability) model but they are still open for debate so not considered as standards yet. It is also not part of the objectives of this dissertation to assess this definition. That definition has to be complemented by the scope of IT Security for an organisation i.e. all electronically stored, processed and transmitted information and the associated systems and networks.
To give even more context of IT Security and the importance of its management, it will be valuable to look at origins, reasons and international development in that discipline. In 2002 OECD worked on standards and guidelines for the security of information systems and networks. The purpose of these guidelines is to foster a culture of security and promote it widely. What it also brings on the table is what is above and beyond the technology as well as it talks about values, ethics which raise the importance of the topic and attention any organisation should pay to. These guidelines are also re-enforcing what we read in ISACA framework i.e. “Security management should be based on risk assessment and should be dynamic, encompassing all levels of participants’ activities and all aspects of their operations”.
It should be highlighted that even if these guidelines were adopted as a Recommendation of the OECD Council at its 1037th Session on 25 July 2002 they are still very relevant today and aligned with COBIT or ITIL frameworks. Another important point to make is that as the scope of Information Risk Management in terms of processes, controls is really vast:
• Assess Risks:
o Define Risk Assessment Approach
o Enable and Quality Assurance Risk Assessments
o Maintain company’s Risks Register
o Consolidate Risk Profiles
• Define Controls:
o Maintain company’s Controls Register
o Define Controls proportional to Risks
o Define Information Classifications
o Validate Specifications/Procedures
o Build Awareness on Risks/Controls
• Investigate Incidents & Surveillance:
o Controls Investigate Incidents
o Execute Root Cause analyses
o Conduct Surveillance to detect e.g. Intrusion, Data Leakage, Vulnerability Report Threat & Vulnerability exposure Validate
BOYCE, J. and JENNINGS, D., 2002. Information Assurance: Managing Organizational IT Security Risks. 1st Edition. Oxford, UK: Butterworth-Heinemann Ltd.
BUSINESSDICTIONARY.COM, 2012. Information Security. Washington, USA: WebFinance Inc.. Available from: http://www.businessdictionary.com/definition/information-security.html. [Accessed 16 July 2012].
ISACA, 2009. Security Incident Management Audit/Assurance Program. Rolling Meadows, USA: Information Systems Audit and Control Association.
OECD, 2002. OECD Guidelines for the Security of Information Systems and Networks, towards a culture of Security. Paris, France: OECD.