Refereed PaperAn integral framework for information systems security management
Introduction
Security of information systems (IS) is becoming a part of core business processes in every organization. Companies are faced with contradictory requirements to deal with open systems on the one hand and assure high protection standards on the other. Appropriate treatment of related issues is far from trivial and requires a wide spectrum of knowledge, ranging from technology and organization to legislation. There are various approaches in the literature, some of them being almost exclusively technical, e.g. [Stallings, 1999], some of them hardly mentioning security issues, e.g. [Harmon, 2001], some of them covering mainly human factors in organizational issues, e.g. [Wysocki, 1997], and some of them covering only legal issues, e.g. [Powers, 2001]. Therefore, a coherent conceptual model is needed to manage E-business systems security effectively by deploying existing approaches in a balanced way. Accordingly, this paper addresses these topics through integration of relevant areas, and it bridges the gaps between practitioners of various profiles that are involved in IS security.
To protect information, an organization has to start with the identification of threats related to business assets. Based on threats analysis, a layered multi-plane approach is proposed. The first plane is focused on interactions, starting with security mechanisms and therefore deploying security services which are linked to human-machine interactions. Finally, human interactions have to be covered. In parallel, to make things operational, it is necessary to address another perspective, which includes technological, organizational and legislative planes (Figure 1).
The detailed methodology, based on the above model, is presented in this paper with diagrams. These diagrams state inputs, processes and outputs, which capture necessary business activities for management of IS security. They are explained in the text, which includes the background knowledge that is necessary to understand related issues.
The paper is organized as follows. In the next section, systems development and maintenance is covered, which includes threats analysis, security infrastructure, public key infrastructure and additional elements of security infrastructure. It addresses practitioner’s dilemmas about costs, outsourcing, complementary and substitutive technologies. In the third section, security policy is covered. It concentrates on human resources management issues with addressing of organizational and legislative issues, including continuity planning, auditing and inter-organizational issues. This section is a kind of a template that a practitioner can follow to set up a sound security policy in an organization. Finally, there is a conclusion in the last section. The whole paper is based on best practices, main international standards and international, EU and US regulations.
Section snippets
E-Business systems development and maintenance
A detailed methodology for the technological plane is given in Figure 2. It is the starting point for E-business systems development and maintenance that is covered in the next section.
Conclusions
Managing security in information systems has reached the point where sufficient, but dispersed, knowledge exists in various domains. Approaches related to security of IS are to be linked within appropriate methodology to achieve optimal and balanced solutions for an enterprise. This is the main motivation behind the paper, which should provide security practitioners with concrete steps and sufficient background on related issues. It is based on experience gained with a nation-wide project of
Uncited references
Devetak, 1995, EU, 1998, EU, 2001, Group on the Next Generation Internet Policy, 2000
Denis Trèek
Denis Trèek received his Ph.D. from the University of Ljubljana. His area of research and interest include information systems and electronic business with emphasis on security. He has taken part in various European research projects (NetLINK CEE, COST projects, etc.). He has been involved in application-oriented projects for e.g. Slovene National gallery (implementation of IS), internet banking services for the biggest Slovene bank Nova ljubljanska banka, and introduction of smart
References (75)
- Aberdeen Group, 1998. Evaluating the Cost of Ownership for Digital Certificate Projects. Boston: Aberdeen...
- Alhir, S. 1998. UML in a Nutshell. Cambridge: O'...
- Anderson, R. J. 1994. Whither Cryptography. Inf. Management & Com. Security, Vol. 2, No. 5, pp....
- Anderson, R. J., Kuhn, M. 1996. Tamper Resistance — a Cautionary Note. The 2nd USENIX Workshop on E-commerce...
- ANSI, 1998. The Elliptic Curve Digital Signature Algorithm (ECDSA). X9.62 standard. Washington, DC:...
- Arce, I., 2002. Bug Hunting: The Seven Ways of the Security Samurai. Security & Privacy Supplement to IEEE Computer,...
- Aresenault, A. et al., 2002. Internet X.509 Public Key Infrastructure Roadmap. PKIX Draft Standard. Reston:...
- ASC X12, 2001. X12 Standard Release 4050. Washington, DC:...
- Baker & Mc Kenzie, 2002. Global E-Commerce Law. http://www.bmck.com/ecommerce/intlegis-t.htm. Chicago: Baker & Mc...
- et al.
Secure Computer SystemsMathematical Foundations
ESD-TR-73-278. Washington, DC: MITRE Corp.
(1973)
Cited by (0)
Denis Trèek
Denis Trèek received his Ph.D. from the University of Ljubljana. His area of research and interest include information systems and electronic business with emphasis on security. He has taken part in various European research projects (NetLINK CEE, COST projects, etc.). He has been involved in application-oriented projects for e.g. Slovene National gallery (implementation of IS), internet banking services for the biggest Slovene bank Nova ljubljanska banka, and introduction of smart cards into the health sector (a nationwide project). His bibliography includes over 60 titles, including international journals with SCI impact factors and monographs. He was an invited speaker at international security events, e.g. PKI Invitational Workshop, organized by US Vice President Al Gore’ s Committee for Security on Information Superhighway, NIST and MITRE Corp. in September 1995, Washington DC. He has been also a member of program committees of international conferences.