Building and implementing a successful information security policy
Information Systems Security & Strategy
1. Page 1 of 11
Information
Systems
Security &
Strategy
“Reports that say that something hasn’t
happened are always interesting to me, because
as we know, there are known knowns; there are
things we know we know. We also know there
are known unknowns; that is to say we know
there are some things we do not know. But
there are also unknown unknowns – the ones
we don’t know we don’t know.”
(Donald H. Rumsfeld, Defence.gov News
Transcript 2002.)
2. Page 2 of 11
Abstract
A well developed information security strategy
and the successful implementation of policies
designed to protect the sensitive data of an
organisation, its employees and customers is
essential in order for a company to conduct
profitable business in the modern,
technologically advanced world we live in. This
paper will explore some of the techniques,
regulations and standards currently employed in
order to achieve the highest levels of
Confidentiality, Integrity and Availability (CIA) for
information assets that are required in support of
business functions and how these are executed.
It will also analyse the various stages of
implementation, discussing why a security policy
is necessary, how to address risk in the context
of information security, and the process of
auditing and improving a strategy once it is in
place.
The relatively new issues associated with a
workforce that is increasingly reliant on mobile
devices and the proliferation and
consumerisation of smartphones, laptops and
tablet devices is of increasing concern within the
information security domain, and it is the
intention of this paper to highlight some of these
concerns and evaluate various methods that
could enable the integration of such devices into
an organisation without compromising the
security of its information assets.
1. Introduction
Subsequent to a number of security and
governance breaches in recent years involving
well known large companies in North America,
Europe and the UK – and the associated
compromise of sensitive personal information -
as widely reported and discussed in the public
domain, Information Security Strategy (ISS) and
Information Security Management Systems
(ISMS) play an ever-increasingly important and
role in how an organisation conducts its
business. Mandatory compliance with acts such
as the Data Protection Act in the UK, the
Sarbanes-Oxley Act in the US, and international
regulatory requirements such as compliance
with ISO27001 mean that it is vital that a
security strategy and the implementation of
associated policies, along with regular rigorous
testing and improvement, are conducted by an
organisation in the pursuit of protecting its
information assets.
This report will begin by discussing what an ISS
is and defining how the core concepts of
Confidentiality, Integrity and Availability of
information underpin all of the regulations and
methods employed in the pursuit of protecting
information assets. It will then analyse some of
the techniques used in order for a business to
begin the process of implementing a security
strategy; how to identify and assess threats and
risks to sensitive information; what the typical
standards are that a business may be required
or obliged to adhere to; and how security audits
and reviewing of a security plan play a very
important part in the development of a sound
strategy. Finally, we will investigate the
challenges that a business may be faced with in
the ‘information age’, including the multitude of –
and sometimes conflicting - standards and
models available to create a security strategy,
and also the security risks associated with the
increasing availability and use of mobile devices
for the combined purposes of business and
personal use by the modern workforce.
2. Information Systems Security &
Strategy
In its most basic definition, an
Information Security Strategy or Information
Security Management System is a structured set
of procedures and/or policies that are designed
to protect an organisation’s information assets
from being lost, stolen, destroyed or otherwise
compromised and one that “…reassures
customers, employees, and suppliers that
information security is a serious concern for the
organisations with whom they deal.” (Freeman,
3. Page 3 of 11
2007 p. 291). A fuller definition could be
described as a document, or set of documents
that contain formal statements of intent; the
laws, techniques and regulations on how an
organisation administers, protects and allows
information to be shared; who has access to the
organisation’s information technology assets;
what information assets needs to be protected
and how this is achieved. (Oladimeji, 2006).
This process can also be described as the act of
ensuring due care and diligence is observed in
an effort to “…avoid harm to another party.”
(Freeman, 2007, p.293). Using an information
security management system, either as
mandated by law or pursued as a business
obligation allows for this due diligence to be
proven, however if no certifiable standard is
used an organisation should still be prepared to
show that the implemented policies are thorough
enough to provide effective security measures in
order to protect the organisation; its employees;
customers, and any other stakeholder involved.
It so follows that in the pursuit of the protection
of an organisation’s information assets, the
Information Security triad (as described in Figure
1) of Confidentiality, Integrity and Availability
generally form the basic building blocks of any
strategy or plan that is designed in order to
achieve the required level of protection of ICT-
supported business functions (Knapp et al,
2007). The CIA Triad is an extremely well-
known reference model used in the design of
security policy but is entirely concerned with
information, and while this serves as the core
factor for most information security strategies it
could be argued that it should only be used as a
starting point in the building of a comprehensive
security strategy that takes in to account wider
factors and organisational concerns. Over the
years, there have been many attempts to
incorporate other elements into the fundamental
framework of CIA - such as Accountability and
Non-repudiation – but as these categories are
arguably a facet of Integrity, it can be argued
that it doesn’t make sense to over-complicate
the basics and be overly inclusive at such a
fundamental level. (McCumber, 2005).
Figure 1: The Information Security CIA Triad
Source: blog.subcuri.net, 2010
In order to more fully describe the CIA Triad,
here follows a précis definition (Whitman &
Mattord, 2011) to expand on the core concepts
of what the words ‘Confidentiality’, ‘Integrity’,
and ‘Availability’ actually mean in the context of
protecting information.
Confidentiality: “Information has confidentiality
when it is protected from disclosure or exposure
to unauthorized individuals or systems.” (p. 13)
Integrity: “Information has integrity when it is
whole, complete, and uncorrupted.” (p. 13)
Availability: “…enables authorized users –
persons or computer systems – to access
information without interference or obstruction
and to receive it in the required format.” (p. 12)
Having defined and analysed the underpinning
attributes of Confidentiality, Integrity and
Availability, it can thus be concluded that in the
implementation of a sound security plan these
attributes must be applied to every relevant
area, taking into account states of transmission
(is the information at rest, in transit or being
processed?); how valuable the information asset
is (intrinsic vs. imputed); the cost of its re-
creation, and impact on the business if the
information is compromised.
The foundations regarding what a security
strategy is actually designed to do having been
4. Page 4 of 11
established, we will now expand on these
concepts in order to understand how an
organisation may implement an information
security strategy with the intention of protecting
its information. There is an argument that the
‘five pillar framework’ of Culture; Leadership;
Alignment; Structure, and Systems (CLASS) as
described by Drew and Kendrick (2006) form the
foundation for successful risk management and
governance strategy. The paper goes on to
describe how and why each of these ‘pillars’
form a framework which makes it a valuable tool
that can be applied to a whole organisation at a
strategic, management or operational level;
allows for the framework to include all types of
controls (input, output, process, social,
adaptive); and “… supports management and
control of risks of many types and origins.” (p.
29). Though the standards, practices and
methods variously used in creating a
comprehensive ISS differ widely, a business-
orientated approach of achieving their shared
ultimate goal of protecting information whilst
conducting business profitably will foster global
efficiency and competitiveness of business,
whilst safeguarding shareholders and
stakeholders (Commission of the European
Communities, 2003).
Protecting information assets can be defined as
the process of protecting information from a
wide range of threats in order to ensure
business continuity/disaster recovery; minimize
business damage, and maximize return on
investments. (International Organisation for
Standardization, 2005). These processes and
control mechanisms are defined in a number of
very well known standards, such as ISO 27002;
the Data Protection Act; the Sarbanes-Oxley Act
and the Common Criteria for Information
Technology Security Evaluation (CC), and as
argued by Dresner & Wood (2007) may be
viewed as the distilled best practice in managing
specific risks. Compliance with these standards
is expected to achieve predictable results,
thereby reducing uncertainty that may result in
loss of confidential/sensitive information; trust
and confidence of the customer and monetary
loss due to fraud, theft or financial penalties that
may be imposed for non-compliance.
Information security has become a complex
arena to navigate, full of technological terms and
standards, but the common goal of them all is to
ensure that an organisation, its employees and
customers are “…confident that the system
meets a predefined level of security” (Freeman,
2007, p. 292 ) ensuring all possible steps are
taken in order to meet the scope of the system
and achieve the required level of assurance for
the implemented information security standard
or method.
Oladimeji et al. (2006, p. 1) state that “At the
organisational level an information security
policy document is usually used as the
foundation for a computer security program.”
The paper goes on to say that a security policy
defines what information needs to be protected;
actions that the various people and processes
are allowed to carry out on the information and
how these permissions can be adapted. The
application of these principles can be considered
to be high level policy making, therefore policies
for specific applications require refinement in
order to be implemented. Having discussed the
basic principles of Information Systems Security
Strategy (ISSS), the next section will address
and analyse the various techniques used within
the ISSS domain.
3. Discussion
It could be said that the primary function
of an ISS within an organisation is to “minimize
loss expectancy, or risk, by maximizing the
efficiency of its mitigation efforts”. (Baker, 2007,
p. 102). Put into ‘business speak’ this may be
translated as seeing a Return of Investment
(RoI) for any information security measures that
are implemented, which would prompt board-
level discussions around the question of how far
an organisation is willing to go to mitigate risk,
and if the financial cost of that mitigation is
justified by the benefits. (Damianides, 2005).
5. Page 5 of 11
In recent years, due to the “…devastating
failures of governance at well known firms in
North America, the UK and Europe” (Drew &
Kendrick, 2005, p. 20) and the implementation of
regulations and codes of conduct such as the
US Sarbanes Oxley Act of 2002 and the Data
Protection Act of 1998, the topics of corporate
governance and risk management have risen in
importance and find themselves high on the
agenda for many senior executives and in the
boardrooms of many organisations. Information
security systems are not only important from a
regulatory perspective, but as discussed by
Knapp et al. (2007) it allows for information
technology to assist in gaining advantages in the
marketplace by enabling an organisation to
ensure competitive advantages such as
business continuity, increasing customer
confidence and the mitigation of information
leaks and disclosure threats or fines.
Consequently, in order to mitigate risk an
organisation must define and categorize what
these risks are. Drew & Kendrick (2005, p. 22)
state that “The different ways of defining,
classifying, and measuring risk do matter, and
are of more than academic concern.” For this
reason, risk must be classified according to
industry and the chosen strategy in order for
them to be addressed appropriately. Analysing
this further, first and foremost it is of vital
importance that an ISS is implemented with the
full support of organisational executives in order
to obtain funding for an information security
function. Indeed, this was raised as the top
ranked issue in a survey of 874 information
security professionals and business managers
conducted by Knapp et al. (2007). One of the
key points highlighted in this study was the need
for effective communications between security
professionals and managers in order for a
comprehensive and coherent security plan to be
put together, ensuring ‘buy-in’ from the board
and for appropriate funding to be allocated for its
development and implementation.
Before a technical or in-depth security policy is
drafted, a top level policy needs to be written
and signed off by the CEO that states the board-
level concerns of the organisation. The top level
concerns could be sought by using the six
simple questions of: when, what, where, why,
who, and how, to help develop those ideas.
Asking such questions as ‘what information
needs to be protected?’; ‘why information
security makes business sense?’; and ‘who is
responsible for making the information secure?’
can then be used as a starting point from which
a policy can be developed that addresses those
areas effectively. (Kadam, 2007).
Progressing from the stages of developing
management ‘buy-in’ to implementation of an
ISMS after approval has been granted, the
general course that implementation of a strategy
conforms to is through a process of information
asset valuation and defining the scope of the
ISMS; defining the risk assessment approach;
identifying acceptable risks; ensure risk
assessment methodology produces comparable
and reproducible results; identify risks and
analyse/evaluate them; identify treatment
actions; implementing an ISMS after a
Statement of Applicability (SoA) has been
drafted and granted appropriate authorization;
conducting an audit as required for compliance
with a legislated act (eg. Sarbanes-Oxley), and
finally reviewing/maintaining the ISMS. (British
Standards Institution, 2005). The ‘Plan-Do-
Check-Act’ model (Figure 2), as used in ISO
27001 can be seen to address these topics, is of
an iterative nature and can be used as a method
for constant information security improvement.
6. Page 6 of 11
Figure 2: The ‘Plan-Do-Check-Act’ Model
Source: http://27001.denialinfo.com, 2007
Having discussed the implementation stages of
a security policy and seeing that a top level
policy would be in place at this stage which
would clearly demonstrate top level commitment
and intent to implement an information security
strategy, intent alone would not enough to
develop a comprehensive policy. The next
stage, then, would be to evaluate the
organisation’s information assets and
identification of the threats posed to them.
(Kadam, 2007 and Poore, 2000). The overall
purpose of this valuation exercise is to ensure
that the controls implemented are appropriate,
and that a sufficient budget has been allocated
for information security. A simple method of
determining the value of an entity is to establish
how much the creation or acquisition of that
information cost in the first instance, and how
much it would cost to re-create if damaged or
lost. Should this value differ markedly (with the
cost of recreation being significantly, or
prohibitively expensive) it can be argued that an
initial higher value can be placed on the original
asset, with the appropriate controls then applied
to it. (Poore, 2000).
Following on from the idea that a valuation
exercise needs to be performed on all
information assets, and referring back to the CIA
Triad, Poore (2000) argues that the value of
these assets can be said to hold a positive value
when they are “… accurate, timely, useful,
permitted and rare.” (p. 19). This positive value
is compromised when the Confidentiality,
Integrity, or Availability of information assets fail.
An information security strategy must address
these issues in order to mitigate the impact of
any risk which causes any information asset to
be lost, damaged or otherwise compromised.
Another way at valuing information as an asset
is to ascertain whether it has future benefit as
something that could be sold, or shared for
economic gain or gaining a strategic business
advantage. One must be aware that most
information changes value as it ages, and must
be kept up-to-date and current to be at its most
useful. The value of this information can be
measured from the frequency of use or
exchange - a value can then be designated to
an information asset dependant on how much
other organisations are willing to pay for it.
Further to this, McCumber (2005) posits that
information could be said to have a reduced
value if it cannot be accessed and can become
a significant liability in terms of the costs
required to store and maintain it.
When a valuation exercise has been conducted,
in order for a security policy to address risk and
impose relevant countermeasures or controls, a
risk identification methodology must be
employed in order to define the severity of the
risk, impact, and likelihood of the risk occurring.
This will allow the security strategist to apply the
correct controls and then assess how the
particular risk will be addressed. Also, the risk
appetite of the organisation must be assessed in
order to ensure a suitable risk treatment
methodology is applied; employing one or more
countermeasures to ensure risks are addressed
appropriately either by prevention (stopping the
realisation of the risk); reducing the effect when
an identified risk occurs; transferring the risk to
another entity; having a contingency plan in
place if and when a risk occurs; or acceptance
that even if an identified risk/threat occurs that
the organisation can “live with it.” (Dresner &
Wood, 2007 p. 303).
Accordingly, a recognized basic model (Figure
3) for conducting a risk assessment follows the
lines of valuing assets, as discussed; assessing
threats and vulnerabilities; determining the risks;
safeguarding the assets in some way and finally
re-visiting the decisions made in order to
continue the process and continually improve or
update a security policy to reflect the changing
requirements of legislation or a company’s own
internal processes.
7. Page 7 of 11
Figure 3: Basic Risk Assessment Process
Source: McCumber, 2005 (p. 236)
It follows that as part of the risk assessment
process that risks must be logically categorized
in order for them to properly be understood and
remediated, or at least for the correct controls to
be applied. One technique of categorizing risks
are by their defining characteristics of being
‘known’; ‘unknown’, or ‘unknowable’ (Figure 4).
Analysing this model we can see that well
understood ‘known’ risks have a high chance of
occurring time after time in risk assessments;
‘unknown’ risks are not included in a security
policy due to the assessment lacking expertise,
and ‘unknown/unknowable’ risks could not be
reasonably predicted, even with a wide and
experienced knowledge base. (Dresner & Wood,
2007). Though it would be possible to devote a
lot of time to the classification and measurement
of risk, Drew (2005) argues that this exercise be
limited to only the extent that is required to
energise a new strategy and gain commitment
for senior management as the integration of this
risk planning into a successful security policy
requires a number of stages that allow for
modification as work progresses.
Figure 4: Risk Categorization
Source: Dresner & Wood, 2007 (p. 303)
The analysis of risk classification having been
discussed, the nature of risks faced by an
organisation must be defined in such a way that
allows for the appropriate treatment to be
applied should it occur. A ‘Probability’ versus
‘Consequences’ model enables risks to be
classified according to the likelihood of them
occurring and the impact caused by the event.
This classification method then allows for the
approach to risk management to change
according to severity. Drew (2005) argues that
low probability and low impact events could only
require routine monitoring with little involvement
from senior leadership or necessary cultural
changes to the organisation, but low probability
and high impact events would require an
organisation to apply controls that allow for the
continuity of business; recovery, or the use of
backup systems; a high level of security
awareness and training for staff, and attention to
the structures and systems of the organisation.
High probability but low impact events require
that resources are made readily available for risk
management with visible leadership
commitment. High probability and high impact
events - clearly being the most severe in this
model - requires that applicable controls are put
in place with some urgency in order to mitigate,
or severely reduce the consequences of the risk
8. Page 8 of 11
occurring. Considering this argument, one must
also take into account the size of an
organisation for which a security policy is being
designed; a large company may have a
framework that is complex and contains a large
number advanced controls, while a smaller
company could potentially rely on fewer, simpler
controls.
Once risks have been defined and categorized,
it is necessary for a Risk Treatment Plan to be
formulated, whereby a control is applied to each
in order for them to be treated; reduced;
transferred, or accepted and for these
documented accordingly. One of the issues put
forth in the previously mentioned study of
business managers and information security
professionals (Knapp et al., 2007) considers the
domain of password management and
excessive security measures being applied,
whereby business managers (in general) valued
productivity over information security and argue
that overly stringent password policies can even
decrease security. This decrease in security
would be caused by employees being forced to
use overly complex passwords for multiple
applications and writing them down for fear of
forgetting them. It would be necessary for a
security plan to consider an issue such as this
and either accept the risk (of passwords being
written down, and therefore having a higher
chance of being compromised), or otherwise
treat or reduce it by perhaps changing the
complexity of the password requirements as
defined by policy.
The production, implementation and
categorization of risk having been thoroughly
analysed, one must next consider the
information management audit as a critical
function in the life-cycle of a sound ISS and
good corporate governance. An audit may be
an internal function; required as part of a
regulatory act (Sarbanes-Oxley, for example); or
- as in the case of ISO 27001 – be required in
order to be certified ‘compliant’ with a specific
standard. As argued by Basset (2007), an
effective audit “...can enhance the organisation’s
security stance, further its mission, and act as a
catalyst that promotes sound IT governance”
and involves reviewing controls and compliance
with policies to help an organisation monitor how
they conduct business whilst protecting the
company, its employees and customers. An
audit also systematically validates the security,
reliability, integrity and privacy of information
systems in order to ensure that their activities
are legal. (Carlin and Gallegos, 2007).
The progression of an audit process usually
follows several stages, and in ISO 27001 this is
defined as a three-stage process: 1. A
preliminary review, which will be an
informal/internal review of the information
security plan to check for completeness in key
documents, such as the information security
policy and Risk Treatment Plan. 2. A detailed
(possibly formal) compliance audit - for example,
in the pursuit of ISO 27001 compliance, qualified
external auditors will gather evidence to confirm
that the strategy has been properly designed,
implemented and is in current operation. 3.
Follow-up reviews to confirm that compliance is
maintained. ISO 27001 requires that this
process should happen annually, at a minimum,
but can be conducted more frequently – if
agreed by management – particularly whilst an
ISMS is in its infancy and still maturing. Looking
at this from a wider perspective, Carlin and
Gallegos (2007) argue that an audit cycle
consists of several phases that serve to define
the scope of an audit and its objectives; evaluate
internal controls; conduct compliance testing
and finally report on detected weaknesses or
failures within the system.
Having looked at the various stages of an audit
process, we must now look at how an audit
might take place. This involves employing a
systematic approach in order to test all of the
relevant areas, also defined as conducting
‘fieldwork’ to test the controls. This can be done
by using automated tools (programs such as
Nmap, Snort and Nessus are commonly used
programs within the information security domain)
that respectively provide information about a
9. Page 9 of 11
network such as the operating system being run,
services that are being provided and the types of
firewalls in place; intrusion detection, packet
sniffing or logging and network traffic analysis;
and network scanning to report and provide
recommendations on devices identified as being
vulnerable to attack or security breach. (Viljoen,
2008). Following on from the argument that an
audit helps to validate an organisation’s security
posture, Fitzgerald (2007) asserts that it is
essential that audit issues are quickly and
correctly analysed by IT management as the
Confidentiality, Integrity and Availability of
information is potentially compromised due to
the failure of addressing the defined process
because misguided investment is made in
firewalls, anti-virus software, spam filtering and
other technologies rather than effectively
reviewing logs, reports, and the suggested
remediation techniques of the tools already
employed.
4. Issues within Information Systems
Security
It is apparent that for the wealth of
literature, models, methods, and tools available
to aid the implementation of information security
strategies there are a multitude of conflicting
arguments and ‘outdated’ ideas replaced by new
and ever-changing regulations, techniques and
standards. This is discussed by Mead et al.
(2000) who debate whether or not the
information security policy field is developing at
a rapid enough pace, and whether it should be
individual organisations, official Standards
bodies, Governments, or other entities that are
responsible for the establishment of security
policy, and the pros and cons of these choices.
Another question raised in the discussion asks if
it is practical to have a universal, standardised
approach that would satisfy everyone, and if it
would be a viable alternative to the current
situation whereby there are often multiple - and
sometimes competing - standards.
As well as the issues raised regarding where
responsibility should lie for the implementation of
security strategies, McCumber (2005) asserts
that “all models have shortcomings” (p. 15) and
goes on to state that just as maps are unable to
provide details on traffic jams and that blueprints
for buildings lack topographical detail, similarly it
is impossible for any single model for
information security planning to provide ‘security
out-of-the-box’ due to various factors such as
human error - or as detailed by Knapp et al.
(2006) “User awareness training and education”
issues; “Low funding and inadequate budgets”;
and “Legal and regulatory issues” (Table 1, p.
101). The report continues to highlight that
security professionals and business managers
have differing opinions on what the most
important issues are when addressing the
security concerns of an organisation. This could
be a result of differing focus for the two groups,
with security professionals approaching things
from a more technical direction - an area
relatively invisible to business managers.
Perhaps unsurprisingly though, the two groups
had the issues of Confidentiality, Integrity and
Availability (of information), and backup and
recovery / business continuity as areas of
common ground, as these may be considered
critical issues and high on the list of any plan
required to mitigate loss (financial or data) and
justifying expenditure when viewed from either
an IT security or business perspective.
Other areas that must be weighted with
increasing importance in the domain of
information security strategy are the issues with
an increasingly mobile workforce and associated
security concerns that the use of smartphones,
laptop computers and tablet devices.
Consumerisation of these devices is well
reported, and as reported in one study (Signorini
and Hochmuth, 2010) 54% of business
professionals use their personally purchased
device, and 34% use non-approved applications
such as Google Docs or Yahoo! Messenger for
business-related activities. The report goes on
to argue that the factors driving this trend are the
proliferation and availability of smartphones and
10. Page 10 of 11
tablets; easier integration of these devices into
business applications and an increasingly
blended work/home life. An organisation must
find common ground whereby the user and the
business gain benefit from this integration, whilst
still remaining protecting sensitive data from
being compromised. Despite reports such as
these, the findings of Baker and Wallace (2007)
indicate that the identification and tracking of
remote connections into the enterprise (and
potentially critical systems) are not generally
highlighted as a significant source of risk and
have sufficient security controls therefore
applied.
Therefore, it can be argued that some
smartphone capabilities have legitimate
business functions for mobile employees - for
example, the integration of business e-mail into
native mail applications, navigation/GPS and
Instant Messenger – all of which are generally
considered to be ‘personal’ features. However,
each application should be individually
evaluated to determine if they are harmful to the
security of the organisation and whether a
mobile device policy (as part of the ISS/ISMS)
exclusively forbids the use of personal devices,
or incorporates them into the organisation with
the appropriate control mechanisms applied to
ensure the security of any information that is
accessed and then stored on these devices.
5. Conclusions
With increasingly severe financial penalties,
potential loss of earnings, and damage to the
reputation of an organisation due to the loss or
theft of sensitive information; non-compliance
with legal standards; or breach of governmental
legislation such as the Data Protection Act, it is
of vital importance to a business that enough
time, effort and budget is allocated to the design,
implementation of and adherence to a sound
security strategy that will do its best to protect
the information assets of itself; its employees,
customers and business partners.
Information security professionals, IT staff and
business managers must between them balance
the requirements of a strong security strategy
against allocated budget, doing the absolute
maximum to ensure the protection of the
organisation’s information assets whilst being
reasonable about security-related expenditure in
the pursuit of regulatory compliance and general
good business practice in order to be profitable;
ensure confidence in them by customers and
partners; and see a positive RoI for the policies
and measures that are implemented.
Finally, due to the ever-changing and
increasingly complex domain of information
technology; escalating volumes of stored
structured and unstructured information; and the
numerous ways of accessing that data - be that
via the traditional office computer, personal
laptop, smartphone or tablet device – an
organisation must employ a security strategy
that is robust, yet flexible enough to incorporate
new (and possibly as-yet undefined) regulations
and legal requirements; identify, categorize and
apply appropriate controls to emerging threats
and risks, and be able to regularly review and
amend policies in order for such changes to be
documented and continuously be able to
address them appropriately.
References
Baker, W. Et al. (2007), Necessary Measures: Metric-driven
information security risk assessment and decision-making.
Communications of the ACM. 50, 101-106, Association f or Computing
Machinery .
Baker, WH. & Wallace, L. (2007), ‘Is Information Security Under
Control?: Investigating Quality in Information Security Management’,
IEEE Security & Priv acy , Jan/Feb 2007, p. 36-44.
Bassett, J. (2007), ‘Security in Management’s Terms.’ Available at:
http://www.theiia.org/intAuditor/in-the-prof ession/2010/it-
gov ernance/security -in-managements-terms/ [Accessed: 01
September 2011]
British Standards Institution, (2005), BS ISO/IEC 27001:2005,
Information technology – Security techniques – Information Security
management systems – Requirements, BSI
Carlin, A. & Gallegos, F. (2007), ‘IT Audit: A Critical Business
Process’, IT Sy stems Perspectiv es, July , p. 87-88.
11. Page 11 of 11
Commission of the European Communities, (2003), ‘Modernising
Company Law and Enhancing Corporate Governance in the
European Union – A Plan to Move Forward’, COM (2003), 284 f inal.
Damianides, M (2005), Sarbanes-Oxley and IT Gov ernance: New
Guidance on IT Control and Compliance. Inf ormation Sy stems
Management. (Winter) p. 77-85.
Def ense.gov News Transcript: DoD News Brief ing - Secretary
Rumsf eld and Gen. My ers. 2002. [Online] Av ailable at:
http://www.def ense.gov /transcripts/transcript.aspx?transcriptid=2636.
[Accessed: 03 August 2011]
Dresner, DG. & Wood, JR. (2007), ‘Operational risk: acceptability
criteria.’ Third International Sy mposium of Inf ormation Assurance and
Security . p. 301-306. IEEE Computer Society .
Drew, SA. & Kendrick, T. (2005). ‘Risk management: the f iv e pillars of
corporate gov ernance’, Journal of General Management. 31 (2) p. 19-
36.
Drew, SA., Kelley , PC. & Kendrick, T (2006), ‘Five elements of
corporate governance to manage strategic risk’, Business Horizons,
(49), p. 127-138.
Fitzgerald, T. (2007) ‘Clarifying the Roles of Information Security: 13
Questions the CEO, CIO, and CISO Must Ask Each Other’,
Inf ormation Sy stems Security , 16, p. 257-263.
Freeman, E. (2007) ‘Holistic Information Security: IS0 27001 and Due
Care’, Inf ormation Sy stems Security , 16, p. 291-294.
International Organisation f or Standardization. (2005), ISO/IEC
27002:2005. Information technology – Security techniques – Code of
practice for information security management. (ISO).
Kadam, AW. (2007) ‘Information Security Policy Development and
Implementation’, Inf ormation Sy stems Security , 16, p.246-256.
Knapp, K. Et al. (2007), ‘Do Information Security Professionals and
Business Managers View Information Security Issues Differently?’,
Inf ormation Sy stems Security 16, 100-108.
Knapp, K., Marshall, T.E., Rainer, R., Kelly , JR., and Morrow, D.
(2006), ‘The Top Information Security Issues: What Can Government
Do to Help?’, Inf ormation Sy stems Security , September/October,
p.51-58.
McCumber, J. (2005), ‘Assessing and Managing Security Risk in IT
Systems.’ USA: CRC Press LLC
Mead et al. (2000), ‘Information Security Policy’ Roundtable, IEEE
Sof tware, Sep/Oct, p. 26-32.
Oladimeji, E. Et al. (2006), Representing Security Goals, Policies,
and Objects. In Proc. of the 5th IEEE/ACIS International Conference
on Computer and Information Science (ICIS’06), July 2006.
Poore, RS. (2000), ‘Valuing Information Assets for Security Risk
Management’, Inf ormation Sy stems Security , Sep/Oct p. 17-23.
Vera, C. blog.sucuri.net (2010), The Mission of Security Awareness
[Online] Av ailable at: http://blog.sucuri.net/2010/06/the-mission-of -
security -awareness.html [Accessed: 18 August 2011]
Viljoen, M. (2008), A Framework Towards Effective Control in
Information Security Governance. Unpublished M Tech IT thesis.
Nelson Mandela Metropolitan University
Whitman, ME. & Mattord, HJ. (2011), ‘Principles of Information
Security.’ Google Books. [Online] Av ailable at:
ttp://books.google.com/books?id=L3LtJAxcsmMC&printsec=f rontcove
r&source=gbs_ge_summary _r&cad=0#v =onepage&q&f =f alse
(Accessed: 01 September 2011)
Yankee Group Research, Inc. (2010), ’Consumerization of the Mobile
Enterprise’, , Boston, MA: Yankee Group.