Refereed Paper
An integral framework for information systems security management

https://doi.org/10.1016/S0167-4048(03)00413-9Get rights and content

Abstract

Business use of Internet has exposed security as one of the key-factors for successful online competition. Contemporary management of E-business security involves various approaches in different areas, ranging from technology to organizational issues and legislation. These approaches are often isolated, while management of security requires an integrated approach. This article presents an attempt at management of E-business systems security that is based on integrating existing approaches in a balanced way. To foster practical use of the conceptual model in this paper, brief background knowledge in related areas is given.

Introduction

Security of information systems (IS) is becoming a part of core business processes in every organization. Companies are faced with contradictory requirements to deal with open systems on the one hand and assure high protection standards on the other. Appropriate treatment of related issues is far from trivial and requires a wide spectrum of knowledge, ranging from technology and organization to legislation. There are various approaches in the literature, some of them being almost exclusively technical, e.g. [Stallings, 1999], some of them hardly mentioning security issues, e.g. [Harmon, 2001], some of them covering mainly human factors in organizational issues, e.g. [Wysocki, 1997], and some of them covering only legal issues, e.g. [Powers, 2001]. Therefore, a coherent conceptual model is needed to manage E-business systems security effectively by deploying existing approaches in a balanced way. Accordingly, this paper addresses these topics through integration of relevant areas, and it bridges the gaps between practitioners of various profiles that are involved in IS security.

To protect information, an organization has to start with the identification of threats related to business assets. Based on threats analysis, a layered multi-plane approach is proposed. The first plane is focused on interactions, starting with security mechanisms and therefore deploying security services which are linked to human-machine interactions. Finally, human interactions have to be covered. In parallel, to make things operational, it is necessary to address another perspective, which includes technological, organizational and legislative planes (Figure 1).

The detailed methodology, based on the above model, is presented in this paper with diagrams. These diagrams state inputs, processes and outputs, which capture necessary business activities for management of IS security. They are explained in the text, which includes the background knowledge that is necessary to understand related issues.

The paper is organized as follows. In the next section, systems development and maintenance is covered, which includes threats analysis, security infrastructure, public key infrastructure and additional elements of security infrastructure. It addresses practitioner’s dilemmas about costs, outsourcing, complementary and substitutive technologies. In the third section, security policy is covered. It concentrates on human resources management issues with addressing of organizational and legislative issues, including continuity planning, auditing and inter-organizational issues. This section is a kind of a template that a practitioner can follow to set up a sound security policy in an organization. Finally, there is a conclusion in the last section. The whole paper is based on best practices, main international standards and international, EU and US regulations.

Section snippets

E-Business systems development and maintenance

A detailed methodology for the technological plane is given in Figure 2. It is the starting point for E-business systems development and maintenance that is covered in the next section.

Conclusions

Managing security in information systems has reached the point where sufficient, but dispersed, knowledge exists in various domains. Approaches related to security of IS are to be linked within appropriate methodology to achieve optimal and balanced solutions for an enterprise. This is the main motivation behind the paper, which should provide security practitioners with concrete steps and sufficient background on related issues. It is based on experience gained with a nation-wide project of

Uncited references

Devetak, 1995, EU, 1998, EU, 2001, Group on the Next Generation Internet Policy, 2000

Denis Trèek

Denis Trèek received his Ph.D. from the University of Ljubljana. His area of research and interest include information systems and electronic business with emphasis on security. He has taken part in various European research projects (NetLINK CEE, COST projects, etc.). He has been involved in application-oriented projects for e.g. Slovene National gallery (implementation of IS), internet banking services for the biggest Slovene bank Nova ljubljanska banka, and introduction of smart

References (75)

  • Aberdeen Group, 1998. Evaluating the Cost of Ownership for Digital Certificate Projects. Boston: Aberdeen...
  • Alhir, S. 1998. UML in a Nutshell. Cambridge: O'...
  • Anderson, R. J. 1994. Whither Cryptography. Inf. Management & Com. Security, Vol. 2, No. 5, pp....
  • Anderson, R. J., Kuhn, M. 1996. Tamper Resistance — a Cautionary Note. The 2nd USENIX Workshop on E-commerce...
  • ANSI, 1998. The Elliptic Curve Digital Signature Algorithm (ECDSA). X9.62 standard. Washington, DC:...
  • Arce, I., 2002. Bug Hunting: The Seven Ways of the Security Samurai. Security & Privacy Supplement to IEEE Computer,...
  • Aresenault, A. et al., 2002. Internet X.509 Public Key Infrastructure Roadmap. PKIX Draft Standard. Reston:...
  • ASC X12, 2001. X12 Standard Release 4050. Washington, DC:...
  • Baker & Mc Kenzie, 2002. Global E-Commerce Law. http://www.bmck.com/ecommerce/intlegis-t.htm. Chicago: Baker & Mc...
  • D Bell et al.

    Secure Computer SystemsMathematical Foundations

    ESD-TR-73-278. Washington, DC: MITRE Corp.

    (1973)
  • Broder, J.F. 2000. Risk Analysis — The Security Survey. Woburn: Butterworth-...
  • BSI 1999, Code of practice for information security management. British Standard 7799. London: British Standards...
  • Burrows, M., Abadi, M., Needham, R. 1990. Logic of Authentication. ACM Transactions on Comp. Systems, Vol. 8, No. 1,...
  • Cheswick, W., Bellovin, S. 1994. Firewalls and Internet Security. Reading:...
  • COBIT Steering Committee 1998. Executive Overview (2nd ed.). Rolling Meadows: Information Systems Audit and Control...
  • Crocker, D.H. 1982. Standard For The Format Of Arpa Internet Text Messages. RFC 822. Reston:...
  • DeMaio, H. 2002. Global Trust, Certification and (ISC)2. Computers & Security Vol. 21, No. 8, pp....
  • Devargas M.,1999. Survival is Not Compulsory. Elsevier, Computers & Security, Vol. 18, No. 1, pp....
  • Devetak, G. 1995. Organization of marketing and marketing information system. Organization and information systems....
  • Dichter, M.S., Burkhardt, M.S. 2001. Electronic Interaction in the Workplace: Monitoring, Retrieving and Storing...
  • Dierks, T., Allen, C. 1999. Transport Layer Security. Standard RFC 2246. Reston:...
  • Dreben, R.N., Werbach, J.L. 1999. Top 10 Things to Consider in Developing an Electronic Commerce Web Site. Publications...
  • Eastlake, D., Jones, P. 2001. Secure Hash Algorithm — 1. RFC 3174 Standard. Reston:...
  • EU, 1998. Data Protection Directive. Directive 1998/46/EC, Official Journal of the European Communities. Brussels:...
  • EU, 1999. Electronic Signature Directive. Directive 1999/93/EC, Official Journal of the European Communities. Brussels:...
  • EU, 2000. Directive on Electronic Commerce. Directive 2000/31/EC, Official Journal of the European Communities....
  • EU, 2001. Directive on Privacy and Electronic Communications. Directive 2002/58/EC, Official Journal of the European...
  • Foti, J. (Ed.) 2001. Advanced Encryption Standard. FIPS Draft. Washington, DC:...
  • Foundation for Intelligent Physical Agents (2001). FIPA Security SIG Request For Information. F-OUT-00065 Deliverable....
  • Freed, N. 1996. Multipurpose Internet Mail Extensions. RFC 2045 Standard. Reston:...
  • Freier, A.O., et al. 1996. Secure Sockets Layer Protocol (version 3). Mountain View: Netscape Corp....
  • Fumy, W., 2000. From Common Criteria to Elliptic Curves — ISO / IEC JTC 1/SC 27, IT Security Techniques. ISO Bulletin,...
  • Gong, L., Needham, R., Yahalom, R., 1990. Reasoning about Belief in Cryptographic Protocols. Proc. of the IEEE Computer...
  • Group on the Next Generation Internet Policy, 2000. e-Japan Initiative. Tokyo:...
  • Gutmann P., 2002. PKI: It’s Not Dead, Just Resting. IEEE Computer, Vol. 35, No. 8, pp....
  • Harmon, P., 2001. Developing E-Business Systems and Architectures. San Francisco: Morgan...
  • Hendry, M., 1997. Smart Card Security and Application. London: Artech...
  • Cited by (0)

    Denis Trèek

    Denis Trèek received his Ph.D. from the University of Ljubljana. His area of research and interest include information systems and electronic business with emphasis on security. He has taken part in various European research projects (NetLINK CEE, COST projects, etc.). He has been involved in application-oriented projects for e.g. Slovene National gallery (implementation of IS), internet banking services for the biggest Slovene bank Nova ljubljanska banka, and introduction of smart cards into the health sector (a nationwide project). His bibliography includes over 60 titles, including international journals with SCI impact factors and monographs. He was an invited speaker at international security events, e.g. PKI Invitational Workshop, organized by US Vice President Al Gore’ s Committee for Security on Information Superhighway, NIST and MITRE Corp. in September 1995, Washington DC. He has been also a member of program committees of international conferences.

    View full text