SlideShare une entreprise Scribd logo

Information Systems Security & Strategy

Télécharger en tant que DOCX, PDF
T
Tony Hauxwell
1  sur  11
Page 1 of 11 Information Systems Security & Strategy “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” (Donald H. Rumsfeld, Defence.gov News Transcript 2002.)
Page 2 of 11 Abstract A well developed information security strategy and the successful implementation of policies designed to protect the sensitive data of an organisation, its employees and customers is essential in order for a company to conduct profitable business in the modern, technologically advanced world we live in. This paper will explore some of the techniques, regulations and standards currently employed in order to achieve the highest levels of Confidentiality, Integrity and Availability (CIA) for information assets that are required in support of business functions and how these are executed. It will also analyse the various stages of implementation, discussing why a security policy is necessary, how to address risk in the context of information security, and the process of auditing and improving a strategy once it is in place. The relatively new issues associated with a workforce that is increasingly reliant on mobile devices and the proliferation and consumerisation of smartphones, laptops and tablet devices is of increasing concern within the information security domain, and it is the intention of this paper to highlight some of these concerns and evaluate various methods that could enable the integration of such devices into an organisation without compromising the security of its information assets. 1. Introduction Subsequent to a number of security and governance breaches in recent years involving well known large companies in North America, Europe and the UK – and the associated compromise of sensitive personal information - as widely reported and discussed in the public domain, Information Security Strategy (ISS) and Information Security Management Systems (ISMS) play an ever-increasingly important and role in how an organisation conducts its business. Mandatory compliance with acts such as the Data Protection Act in the UK, the Sarbanes-Oxley Act in the US, and international regulatory requirements such as compliance with ISO27001 mean that it is vital that a security strategy and the implementation of associated policies, along with regular rigorous testing and improvement, are conducted by an organisation in the pursuit of protecting its information assets. This report will begin by discussing what an ISS is and defining how the core concepts of Confidentiality, Integrity and Availability of information underpin all of the regulations and methods employed in the pursuit of protecting information assets. It will then analyse some of the techniques used in order for a business to begin the process of implementing a security strategy; how to identify and assess threats and risks to sensitive information; what the typical standards are that a business may be required or obliged to adhere to; and how security audits and reviewing of a security plan play a very important part in the development of a sound strategy. Finally, we will investigate the challenges that a business may be faced with in the ‘information age’, including the multitude of – and sometimes conflicting - standards and models available to create a security strategy, and also the security risks associated with the increasing availability and use of mobile devices for the combined purposes of business and personal use by the modern workforce. 2. Information Systems Security & Strategy In its most basic definition, an Information Security Strategy or Information Security Management System is a structured set of procedures and/or policies that are designed to protect an organisation’s information assets from being lost, stolen, destroyed or otherwise compromised and one that “…reassures customers, employees, and suppliers that information security is a serious concern for the organisations with whom they deal.” (Freeman,
Page 3 of 11 2007 p. 291). A fuller definition could be described as a document, or set of documents that contain formal statements of intent; the laws, techniques and regulations on how an organisation administers, protects and allows information to be shared; who has access to the organisation’s information technology assets; what information assets needs to be protected and how this is achieved. (Oladimeji, 2006). This process can also be described as the act of ensuring due care and diligence is observed in an effort to “…avoid harm to another party.” (Freeman, 2007, p.293). Using an information security management system, either as mandated by law or pursued as a business obligation allows for this due diligence to be proven, however if no certifiable standard is used an organisation should still be prepared to show that the implemented policies are thorough enough to provide effective security measures in order to protect the organisation; its employees; customers, and any other stakeholder involved. It so follows that in the pursuit of the protection of an organisation’s information assets, the Information Security triad (as described in Figure 1) of Confidentiality, Integrity and Availability generally form the basic building blocks of any strategy or plan that is designed in order to achieve the required level of protection of ICT- supported business functions (Knapp et al, 2007). The CIA Triad is an extremely well- known reference model used in the design of security policy but is entirely concerned with information, and while this serves as the core factor for most information security strategies it could be argued that it should only be used as a starting point in the building of a comprehensive security strategy that takes in to account wider factors and organisational concerns. Over the years, there have been many attempts to incorporate other elements into the fundamental framework of CIA - such as Accountability and Non-repudiation – but as these categories are arguably a facet of Integrity, it can be argued that it doesn’t make sense to over-complicate the basics and be overly inclusive at such a fundamental level. (McCumber, 2005). Figure 1: The Information Security CIA Triad Source: blog.subcuri.net, 2010 In order to more fully describe the CIA Triad, here follows a précis definition (Whitman & Mattord, 2011) to expand on the core concepts of what the words ‘Confidentiality’, ‘Integrity’, and ‘Availability’ actually mean in the context of protecting information. Confidentiality: “Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems.” (p. 13) Integrity: “Information has integrity when it is whole, complete, and uncorrupted.” (p. 13) Availability: “…enables authorized users – persons or computer systems – to access information without interference or obstruction and to receive it in the required format.” (p. 12) Having defined and analysed the underpinning attributes of Confidentiality, Integrity and Availability, it can thus be concluded that in the implementation of a sound security plan these attributes must be applied to every relevant area, taking into account states of transmission (is the information at rest, in transit or being processed?); how valuable the information asset is (intrinsic vs. imputed); the cost of its re- creation, and impact on the business if the information is compromised. The foundations regarding what a security strategy is actually designed to do having been
Page 4 of 11 established, we will now expand on these concepts in order to understand how an organisation may implement an information security strategy with the intention of protecting its information. There is an argument that the ‘five pillar framework’ of Culture; Leadership; Alignment; Structure, and Systems (CLASS) as described by Drew and Kendrick (2006) form the foundation for successful risk management and governance strategy. The paper goes on to describe how and why each of these ‘pillars’ form a framework which makes it a valuable tool that can be applied to a whole organisation at a strategic, management or operational level; allows for the framework to include all types of controls (input, output, process, social, adaptive); and “… supports management and control of risks of many types and origins.” (p. 29). Though the standards, practices and methods variously used in creating a comprehensive ISS differ widely, a business- orientated approach of achieving their shared ultimate goal of protecting information whilst conducting business profitably will foster global efficiency and competitiveness of business, whilst safeguarding shareholders and stakeholders (Commission of the European Communities, 2003). Protecting information assets can be defined as the process of protecting information from a wide range of threats in order to ensure business continuity/disaster recovery; minimize business damage, and maximize return on investments. (International Organisation for Standardization, 2005). These processes and control mechanisms are defined in a number of very well known standards, such as ISO 27002; the Data Protection Act; the Sarbanes-Oxley Act and the Common Criteria for Information Technology Security Evaluation (CC), and as argued by Dresner & Wood (2007) may be viewed as the distilled best practice in managing specific risks. Compliance with these standards is expected to achieve predictable results, thereby reducing uncertainty that may result in loss of confidential/sensitive information; trust and confidence of the customer and monetary loss due to fraud, theft or financial penalties that may be imposed for non-compliance. Information security has become a complex arena to navigate, full of technological terms and standards, but the common goal of them all is to ensure that an organisation, its employees and customers are “…confident that the system meets a predefined level of security” (Freeman, 2007, p. 292 ) ensuring all possible steps are taken in order to meet the scope of the system and achieve the required level of assurance for the implemented information security standard or method. Oladimeji et al. (2006, p. 1) state that “At the organisational level an information security policy document is usually used as the foundation for a computer security program.” The paper goes on to say that a security policy defines what information needs to be protected; actions that the various people and processes are allowed to carry out on the information and how these permissions can be adapted. The application of these principles can be considered to be high level policy making, therefore policies for specific applications require refinement in order to be implemented. Having discussed the basic principles of Information Systems Security Strategy (ISSS), the next section will address and analyse the various techniques used within the ISSS domain. 3. Discussion It could be said that the primary function of an ISS within an organisation is to “minimize loss expectancy, or risk, by maximizing the efficiency of its mitigation efforts”. (Baker, 2007, p. 102). Put into ‘business speak’ this may be translated as seeing a Return of Investment (RoI) for any information security measures that are implemented, which would prompt board- level discussions around the question of how far an organisation is willing to go to mitigate risk, and if the financial cost of that mitigation is justified by the benefits. (Damianides, 2005).
Page 5 of 11 In recent years, due to the “…devastating failures of governance at well known firms in North America, the UK and Europe” (Drew & Kendrick, 2005, p. 20) and the implementation of regulations and codes of conduct such as the US Sarbanes Oxley Act of 2002 and the Data Protection Act of 1998, the topics of corporate governance and risk management have risen in importance and find themselves high on the agenda for many senior executives and in the boardrooms of many organisations. Information security systems are not only important from a regulatory perspective, but as discussed by Knapp et al. (2007) it allows for information technology to assist in gaining advantages in the marketplace by enabling an organisation to ensure competitive advantages such as business continuity, increasing customer confidence and the mitigation of information leaks and disclosure threats or fines. Consequently, in order to mitigate risk an organisation must define and categorize what these risks are. Drew & Kendrick (2005, p. 22) state that “The different ways of defining, classifying, and measuring risk do matter, and are of more than academic concern.” For this reason, risk must be classified according to industry and the chosen strategy in order for them to be addressed appropriately. Analysing this further, first and foremost it is of vital importance that an ISS is implemented with the full support of organisational executives in order to obtain funding for an information security function. Indeed, this was raised as the top ranked issue in a survey of 874 information security professionals and business managers conducted by Knapp et al. (2007). One of the key points highlighted in this study was the need for effective communications between security professionals and managers in order for a comprehensive and coherent security plan to be put together, ensuring ‘buy-in’ from the board and for appropriate funding to be allocated for its development and implementation. Before a technical or in-depth security policy is drafted, a top level policy needs to be written and signed off by the CEO that states the board- level concerns of the organisation. The top level concerns could be sought by using the six simple questions of: when, what, where, why, who, and how, to help develop those ideas. Asking such questions as ‘what information needs to be protected?’; ‘why information security makes business sense?’; and ‘who is responsible for making the information secure?’ can then be used as a starting point from which a policy can be developed that addresses those areas effectively. (Kadam, 2007). Progressing from the stages of developing management ‘buy-in’ to implementation of an ISMS after approval has been granted, the general course that implementation of a strategy conforms to is through a process of information asset valuation and defining the scope of the ISMS; defining the risk assessment approach; identifying acceptable risks; ensure risk assessment methodology produces comparable and reproducible results; identify risks and analyse/evaluate them; identify treatment actions; implementing an ISMS after a Statement of Applicability (SoA) has been drafted and granted appropriate authorization; conducting an audit as required for compliance with a legislated act (eg. Sarbanes-Oxley), and finally reviewing/maintaining the ISMS. (British Standards Institution, 2005). The ‘Plan-Do- Check-Act’ model (Figure 2), as used in ISO 27001 can be seen to address these topics, is of an iterative nature and can be used as a method for constant information security improvement.
Page 6 of 11 Figure 2: The ‘Plan-Do-Check-Act’ Model Source: http://27001.denialinfo.com, 2007 Having discussed the implementation stages of a security policy and seeing that a top level policy would be in place at this stage which would clearly demonstrate top level commitment and intent to implement an information security strategy, intent alone would not enough to develop a comprehensive policy. The next stage, then, would be to evaluate the organisation’s information assets and identification of the threats posed to them. (Kadam, 2007 and Poore, 2000). The overall purpose of this valuation exercise is to ensure that the controls implemented are appropriate, and that a sufficient budget has been allocated for information security. A simple method of determining the value of an entity is to establish how much the creation or acquisition of that information cost in the first instance, and how much it would cost to re-create if damaged or lost. Should this value differ markedly (with the cost of recreation being significantly, or prohibitively expensive) it can be argued that an initial higher value can be placed on the original asset, with the appropriate controls then applied to it. (Poore, 2000). Following on from the idea that a valuation exercise needs to be performed on all information assets, and referring back to the CIA Triad, Poore (2000) argues that the value of these assets can be said to hold a positive value when they are “… accurate, timely, useful, permitted and rare.” (p. 19). This positive value is compromised when the Confidentiality, Integrity, or Availability of information assets fail. An information security strategy must address these issues in order to mitigate the impact of any risk which causes any information asset to be lost, damaged or otherwise compromised. Another way at valuing information as an asset is to ascertain whether it has future benefit as something that could be sold, or shared for economic gain or gaining a strategic business advantage. One must be aware that most information changes value as it ages, and must be kept up-to-date and current to be at its most useful. The value of this information can be measured from the frequency of use or exchange - a value can then be designated to an information asset dependant on how much other organisations are willing to pay for it. Further to this, McCumber (2005) posits that information could be said to have a reduced value if it cannot be accessed and can become a significant liability in terms of the costs required to store and maintain it. When a valuation exercise has been conducted, in order for a security policy to address risk and impose relevant countermeasures or controls, a risk identification methodology must be employed in order to define the severity of the risk, impact, and likelihood of the risk occurring. This will allow the security strategist to apply the correct controls and then assess how the particular risk will be addressed. Also, the risk appetite of the organisation must be assessed in order to ensure a suitable risk treatment methodology is applied; employing one or more countermeasures to ensure risks are addressed appropriately either by prevention (stopping the realisation of the risk); reducing the effect when an identified risk occurs; transferring the risk to another entity; having a contingency plan in place if and when a risk occurs; or acceptance that even if an identified risk/threat occurs that the organisation can “live with it.” (Dresner & Wood, 2007 p. 303). Accordingly, a recognized basic model (Figure 3) for conducting a risk assessment follows the lines of valuing assets, as discussed; assessing threats and vulnerabilities; determining the risks; safeguarding the assets in some way and finally re-visiting the decisions made in order to continue the process and continually improve or update a security policy to reflect the changing requirements of legislation or a company’s own internal processes.
Page 7 of 11 Figure 3: Basic Risk Assessment Process Source: McCumber, 2005 (p. 236) It follows that as part of the risk assessment process that risks must be logically categorized in order for them to properly be understood and remediated, or at least for the correct controls to be applied. One technique of categorizing risks are by their defining characteristics of being ‘known’; ‘unknown’, or ‘unknowable’ (Figure 4). Analysing this model we can see that well understood ‘known’ risks have a high chance of occurring time after time in risk assessments; ‘unknown’ risks are not included in a security policy due to the assessment lacking expertise, and ‘unknown/unknowable’ risks could not be reasonably predicted, even with a wide and experienced knowledge base. (Dresner & Wood, 2007). Though it would be possible to devote a lot of time to the classification and measurement of risk, Drew (2005) argues that this exercise be limited to only the extent that is required to energise a new strategy and gain commitment for senior management as the integration of this risk planning into a successful security policy requires a number of stages that allow for modification as work progresses. Figure 4: Risk Categorization Source: Dresner & Wood, 2007 (p. 303) The analysis of risk classification having been discussed, the nature of risks faced by an organisation must be defined in such a way that allows for the appropriate treatment to be applied should it occur. A ‘Probability’ versus ‘Consequences’ model enables risks to be classified according to the likelihood of them occurring and the impact caused by the event. This classification method then allows for the approach to risk management to change according to severity. Drew (2005) argues that low probability and low impact events could only require routine monitoring with little involvement from senior leadership or necessary cultural changes to the organisation, but low probability and high impact events would require an organisation to apply controls that allow for the continuity of business; recovery, or the use of backup systems; a high level of security awareness and training for staff, and attention to the structures and systems of the organisation. High probability but low impact events require that resources are made readily available for risk management with visible leadership commitment. High probability and high impact events - clearly being the most severe in this model - requires that applicable controls are put in place with some urgency in order to mitigate, or severely reduce the consequences of the risk
Page 8 of 11 occurring. Considering this argument, one must also take into account the size of an organisation for which a security policy is being designed; a large company may have a framework that is complex and contains a large number advanced controls, while a smaller company could potentially rely on fewer, simpler controls. Once risks have been defined and categorized, it is necessary for a Risk Treatment Plan to be formulated, whereby a control is applied to each in order for them to be treated; reduced; transferred, or accepted and for these documented accordingly. One of the issues put forth in the previously mentioned study of business managers and information security professionals (Knapp et al., 2007) considers the domain of password management and excessive security measures being applied, whereby business managers (in general) valued productivity over information security and argue that overly stringent password policies can even decrease security. This decrease in security would be caused by employees being forced to use overly complex passwords for multiple applications and writing them down for fear of forgetting them. It would be necessary for a security plan to consider an issue such as this and either accept the risk (of passwords being written down, and therefore having a higher chance of being compromised), or otherwise treat or reduce it by perhaps changing the complexity of the password requirements as defined by policy. The production, implementation and categorization of risk having been thoroughly analysed, one must next consider the information management audit as a critical function in the life-cycle of a sound ISS and good corporate governance. An audit may be an internal function; required as part of a regulatory act (Sarbanes-Oxley, for example); or - as in the case of ISO 27001 – be required in order to be certified ‘compliant’ with a specific standard. As argued by Basset (2007), an effective audit “...can enhance the organisation’s security stance, further its mission, and act as a catalyst that promotes sound IT governance” and involves reviewing controls and compliance with policies to help an organisation monitor how they conduct business whilst protecting the company, its employees and customers. An audit also systematically validates the security, reliability, integrity and privacy of information systems in order to ensure that their activities are legal. (Carlin and Gallegos, 2007). The progression of an audit process usually follows several stages, and in ISO 27001 this is defined as a three-stage process: 1. A preliminary review, which will be an informal/internal review of the information security plan to check for completeness in key documents, such as the information security policy and Risk Treatment Plan. 2. A detailed (possibly formal) compliance audit - for example, in the pursuit of ISO 27001 compliance, qualified external auditors will gather evidence to confirm that the strategy has been properly designed, implemented and is in current operation. 3. Follow-up reviews to confirm that compliance is maintained. ISO 27001 requires that this process should happen annually, at a minimum, but can be conducted more frequently – if agreed by management – particularly whilst an ISMS is in its infancy and still maturing. Looking at this from a wider perspective, Carlin and Gallegos (2007) argue that an audit cycle consists of several phases that serve to define the scope of an audit and its objectives; evaluate internal controls; conduct compliance testing and finally report on detected weaknesses or failures within the system. Having looked at the various stages of an audit process, we must now look at how an audit might take place. This involves employing a systematic approach in order to test all of the relevant areas, also defined as conducting ‘fieldwork’ to test the controls. This can be done by using automated tools (programs such as Nmap, Snort and Nessus are commonly used programs within the information security domain) that respectively provide information about a
Page 9 of 11 network such as the operating system being run, services that are being provided and the types of firewalls in place; intrusion detection, packet sniffing or logging and network traffic analysis; and network scanning to report and provide recommendations on devices identified as being vulnerable to attack or security breach. (Viljoen, 2008). Following on from the argument that an audit helps to validate an organisation’s security posture, Fitzgerald (2007) asserts that it is essential that audit issues are quickly and correctly analysed by IT management as the Confidentiality, Integrity and Availability of information is potentially compromised due to the failure of addressing the defined process because misguided investment is made in firewalls, anti-virus software, spam filtering and other technologies rather than effectively reviewing logs, reports, and the suggested remediation techniques of the tools already employed. 4. Issues within Information Systems Security It is apparent that for the wealth of literature, models, methods, and tools available to aid the implementation of information security strategies there are a multitude of conflicting arguments and ‘outdated’ ideas replaced by new and ever-changing regulations, techniques and standards. This is discussed by Mead et al. (2000) who debate whether or not the information security policy field is developing at a rapid enough pace, and whether it should be individual organisations, official Standards bodies, Governments, or other entities that are responsible for the establishment of security policy, and the pros and cons of these choices. Another question raised in the discussion asks if it is practical to have a universal, standardised approach that would satisfy everyone, and if it would be a viable alternative to the current situation whereby there are often multiple - and sometimes competing - standards. As well as the issues raised regarding where responsibility should lie for the implementation of security strategies, McCumber (2005) asserts that “all models have shortcomings” (p. 15) and goes on to state that just as maps are unable to provide details on traffic jams and that blueprints for buildings lack topographical detail, similarly it is impossible for any single model for information security planning to provide ‘security out-of-the-box’ due to various factors such as human error - or as detailed by Knapp et al. (2006) “User awareness training and education” issues; “Low funding and inadequate budgets”; and “Legal and regulatory issues” (Table 1, p. 101). The report continues to highlight that security professionals and business managers have differing opinions on what the most important issues are when addressing the security concerns of an organisation. This could be a result of differing focus for the two groups, with security professionals approaching things from a more technical direction - an area relatively invisible to business managers. Perhaps unsurprisingly though, the two groups had the issues of Confidentiality, Integrity and Availability (of information), and backup and recovery / business continuity as areas of common ground, as these may be considered critical issues and high on the list of any plan required to mitigate loss (financial or data) and justifying expenditure when viewed from either an IT security or business perspective. Other areas that must be weighted with increasing importance in the domain of information security strategy are the issues with an increasingly mobile workforce and associated security concerns that the use of smartphones, laptop computers and tablet devices. Consumerisation of these devices is well reported, and as reported in one study (Signorini and Hochmuth, 2010) 54% of business professionals use their personally purchased device, and 34% use non-approved applications such as Google Docs or Yahoo! Messenger for business-related activities. The report goes on to argue that the factors driving this trend are the proliferation and availability of smartphones and
Page 10 of 11 tablets; easier integration of these devices into business applications and an increasingly blended work/home life. An organisation must find common ground whereby the user and the business gain benefit from this integration, whilst still remaining protecting sensitive data from being compromised. Despite reports such as these, the findings of Baker and Wallace (2007) indicate that the identification and tracking of remote connections into the enterprise (and potentially critical systems) are not generally highlighted as a significant source of risk and have sufficient security controls therefore applied. Therefore, it can be argued that some smartphone capabilities have legitimate business functions for mobile employees - for example, the integration of business e-mail into native mail applications, navigation/GPS and Instant Messenger – all of which are generally considered to be ‘personal’ features. However, each application should be individually evaluated to determine if they are harmful to the security of the organisation and whether a mobile device policy (as part of the ISS/ISMS) exclusively forbids the use of personal devices, or incorporates them into the organisation with the appropriate control mechanisms applied to ensure the security of any information that is accessed and then stored on these devices. 5. Conclusions With increasingly severe financial penalties, potential loss of earnings, and damage to the reputation of an organisation due to the loss or theft of sensitive information; non-compliance with legal standards; or breach of governmental legislation such as the Data Protection Act, it is of vital importance to a business that enough time, effort and budget is allocated to the design, implementation of and adherence to a sound security strategy that will do its best to protect the information assets of itself; its employees, customers and business partners. Information security professionals, IT staff and business managers must between them balance the requirements of a strong security strategy against allocated budget, doing the absolute maximum to ensure the protection of the organisation’s information assets whilst being reasonable about security-related expenditure in the pursuit of regulatory compliance and general good business practice in order to be profitable; ensure confidence in them by customers and partners; and see a positive RoI for the policies and measures that are implemented. Finally, due to the ever-changing and increasingly complex domain of information technology; escalating volumes of stored structured and unstructured information; and the numerous ways of accessing that data - be that via the traditional office computer, personal laptop, smartphone or tablet device – an organisation must employ a security strategy that is robust, yet flexible enough to incorporate new (and possibly as-yet undefined) regulations and legal requirements; identify, categorize and apply appropriate controls to emerging threats and risks, and be able to regularly review and amend policies in order for such changes to be documented and continuously be able to address them appropriately. References Baker, W. Et al. (2007), Necessary Measures: Metric-driven information security risk assessment and decision-making. Communications of the ACM. 50, 101-106, Association f or Computing Machinery . Baker, WH. & Wallace, L. (2007), ‘Is Information Security Under Control?: Investigating Quality in Information Security Management’, IEEE Security & Priv acy , Jan/Feb 2007, p. 36-44. Bassett, J. (2007), ‘Security in Management’s Terms.’ Available at: http://www.theiia.org/intAuditor/in-the-prof ession/2010/it- gov ernance/security -in-managements-terms/ [Accessed: 01 September 2011] British Standards Institution, (2005), BS ISO/IEC 27001:2005, Information technology – Security techniques – Information Security management systems – Requirements, BSI Carlin, A. & Gallegos, F. (2007), ‘IT Audit: A Critical Business Process’, IT Sy stems Perspectiv es, July , p. 87-88.
Page 11 of 11 Commission of the European Communities, (2003), ‘Modernising Company Law and Enhancing Corporate Governance in the European Union – A Plan to Move Forward’, COM (2003), 284 f inal. Damianides, M (2005), Sarbanes-Oxley and IT Gov ernance: New Guidance on IT Control and Compliance. Inf ormation Sy stems Management. (Winter) p. 77-85. Def ense.gov News Transcript: DoD News Brief ing - Secretary Rumsf eld and Gen. My ers. 2002. [Online] Av ailable at: http://www.def ense.gov /transcripts/transcript.aspx?transcriptid=2636. [Accessed: 03 August 2011] Dresner, DG. & Wood, JR. (2007), ‘Operational risk: acceptability criteria.’ Third International Sy mposium of Inf ormation Assurance and Security . p. 301-306. IEEE Computer Society . Drew, SA. & Kendrick, T. (2005). ‘Risk management: the f iv e pillars of corporate gov ernance’, Journal of General Management. 31 (2) p. 19- 36. Drew, SA., Kelley , PC. & Kendrick, T (2006), ‘Five elements of corporate governance to manage strategic risk’, Business Horizons, (49), p. 127-138. Fitzgerald, T. (2007) ‘Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other’, Inf ormation Sy stems Security , 16, p. 257-263. Freeman, E. (2007) ‘Holistic Information Security: IS0 27001 and Due Care’, Inf ormation Sy stems Security , 16, p. 291-294. International Organisation f or Standardization. (2005), ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management. (ISO). Kadam, AW. (2007) ‘Information Security Policy Development and Implementation’, Inf ormation Sy stems Security , 16, p.246-256. Knapp, K. Et al. (2007), ‘Do Information Security Professionals and Business Managers View Information Security Issues Differently?’, Inf ormation Sy stems Security 16, 100-108. Knapp, K., Marshall, T.E., Rainer, R., Kelly , JR., and Morrow, D. (2006), ‘The Top Information Security Issues: What Can Government Do to Help?’, Inf ormation Sy stems Security , September/October, p.51-58. McCumber, J. (2005), ‘Assessing and Managing Security Risk in IT Systems.’ USA: CRC Press LLC Mead et al. (2000), ‘Information Security Policy’ Roundtable, IEEE Sof tware, Sep/Oct, p. 26-32. Oladimeji, E. Et al. (2006), Representing Security Goals, Policies, and Objects. In Proc. of the 5th IEEE/ACIS International Conference on Computer and Information Science (ICIS’06), July 2006. Poore, RS. (2000), ‘Valuing Information Assets for Security Risk Management’, Inf ormation Sy stems Security , Sep/Oct p. 17-23. Vera, C. blog.sucuri.net (2010), The Mission of Security Awareness [Online] Av ailable at: http://blog.sucuri.net/2010/06/the-mission-of - security -awareness.html [Accessed: 18 August 2011] Viljoen, M. (2008), A Framework Towards Effective Control in Information Security Governance. Unpublished M Tech IT thesis. Nelson Mandela Metropolitan University Whitman, ME. & Mattord, HJ. (2011), ‘Principles of Information Security.’ Google Books. [Online] Av ailable at: ttp://books.google.com/books?id=L3LtJAxcsmMC&printsec=f rontcove r&source=gbs_ge_summary _r&cad=0#v =onepage&q&f =f alse (Accessed: 01 September 2011) Yankee Group Research, Inc. (2010), ’Consumerization of the Mobile Enterprise’, , Boston, MA: Yankee Group.

Recommandé

Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
novemberchild
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overview
xband
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4
Elliott Franklin
 

Recommandé

Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
novemberchild
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overview
xband
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4
Elliott Franklin
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?
Lori McInnes
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
Austin Songer
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
Donald Tabone
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized Environments
Siddharth Coontoor
 

Contenu connexe

Tendances

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
Donald Tabone
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Tendances (20)

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Developing an Information Security Roadmap
Developing an Information Security RoadmapDeveloping an Information Security Roadmap
Developing an Information Security Roadmap
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 

En vedette

Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
Ian Strever
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
at MicroFocus Italy ❖✔
 
Denning_Todd_Report
Denning_Todd_ReportDenning_Todd_Report
Denning_Todd_Report
Todd Denning
 

En vedette (13)

IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized Environments
 
What a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do notWhat a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do not
 
RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De Souza
 
Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
 
Denning_Todd_Report
Denning_Todd_ReportDenning_Todd_Report
Denning_Todd_Report
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...
 

Similaire à Information Systems Security & Strategy

Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
IT-Toolkits.org
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
wacasr
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
Jessica Graf
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
alfred4lewis58146
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 

Similaire à Information Systems Security & Strategy (20)

Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Information security
Information securityInformation security
Information security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
 
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 
Data Security
Data SecurityData Security
Data Security
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
Cissp notes
Cissp notesCissp notes
Cissp notes
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 

Information Systems Security & Strategy

  • 1. Page 1 of 11 Information Systems Security & Strategy “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” (Donald H. Rumsfeld, Defence.gov News Transcript 2002.)
  • 2. Page 2 of 11 Abstract A well developed information security strategy and the successful implementation of policies designed to protect the sensitive data of an organisation, its employees and customers is essential in order for a company to conduct profitable business in the modern, technologically advanced world we live in. This paper will explore some of the techniques, regulations and standards currently employed in order to achieve the highest levels of Confidentiality, Integrity and Availability (CIA) for information assets that are required in support of business functions and how these are executed. It will also analyse the various stages of implementation, discussing why a security policy is necessary, how to address risk in the context of information security, and the process of auditing and improving a strategy once it is in place. The relatively new issues associated with a workforce that is increasingly reliant on mobile devices and the proliferation and consumerisation of smartphones, laptops and tablet devices is of increasing concern within the information security domain, and it is the intention of this paper to highlight some of these concerns and evaluate various methods that could enable the integration of such devices into an organisation without compromising the security of its information assets. 1. Introduction Subsequent to a number of security and governance breaches in recent years involving well known large companies in North America, Europe and the UK – and the associated compromise of sensitive personal information - as widely reported and discussed in the public domain, Information Security Strategy (ISS) and Information Security Management Systems (ISMS) play an ever-increasingly important and role in how an organisation conducts its business. Mandatory compliance with acts such as the Data Protection Act in the UK, the Sarbanes-Oxley Act in the US, and international regulatory requirements such as compliance with ISO27001 mean that it is vital that a security strategy and the implementation of associated policies, along with regular rigorous testing and improvement, are conducted by an organisation in the pursuit of protecting its information assets. This report will begin by discussing what an ISS is and defining how the core concepts of Confidentiality, Integrity and Availability of information underpin all of the regulations and methods employed in the pursuit of protecting information assets. It will then analyse some of the techniques used in order for a business to begin the process of implementing a security strategy; how to identify and assess threats and risks to sensitive information; what the typical standards are that a business may be required or obliged to adhere to; and how security audits and reviewing of a security plan play a very important part in the development of a sound strategy. Finally, we will investigate the challenges that a business may be faced with in the ‘information age’, including the multitude of – and sometimes conflicting - standards and models available to create a security strategy, and also the security risks associated with the increasing availability and use of mobile devices for the combined purposes of business and personal use by the modern workforce. 2. Information Systems Security & Strategy In its most basic definition, an Information Security Strategy or Information Security Management System is a structured set of procedures and/or policies that are designed to protect an organisation’s information assets from being lost, stolen, destroyed or otherwise compromised and one that “…reassures customers, employees, and suppliers that information security is a serious concern for the organisations with whom they deal.” (Freeman,
  • 3. Page 3 of 11 2007 p. 291). A fuller definition could be described as a document, or set of documents that contain formal statements of intent; the laws, techniques and regulations on how an organisation administers, protects and allows information to be shared; who has access to the organisation’s information technology assets; what information assets needs to be protected and how this is achieved. (Oladimeji, 2006). This process can also be described as the act of ensuring due care and diligence is observed in an effort to “…avoid harm to another party.” (Freeman, 2007, p.293). Using an information security management system, either as mandated by law or pursued as a business obligation allows for this due diligence to be proven, however if no certifiable standard is used an organisation should still be prepared to show that the implemented policies are thorough enough to provide effective security measures in order to protect the organisation; its employees; customers, and any other stakeholder involved. It so follows that in the pursuit of the protection of an organisation’s information assets, the Information Security triad (as described in Figure 1) of Confidentiality, Integrity and Availability generally form the basic building blocks of any strategy or plan that is designed in order to achieve the required level of protection of ICT- supported business functions (Knapp et al, 2007). The CIA Triad is an extremely well- known reference model used in the design of security policy but is entirely concerned with information, and while this serves as the core factor for most information security strategies it could be argued that it should only be used as a starting point in the building of a comprehensive security strategy that takes in to account wider factors and organisational concerns. Over the years, there have been many attempts to incorporate other elements into the fundamental framework of CIA - such as Accountability and Non-repudiation – but as these categories are arguably a facet of Integrity, it can be argued that it doesn’t make sense to over-complicate the basics and be overly inclusive at such a fundamental level. (McCumber, 2005). Figure 1: The Information Security CIA Triad Source: blog.subcuri.net, 2010 In order to more fully describe the CIA Triad, here follows a précis definition (Whitman & Mattord, 2011) to expand on the core concepts of what the words ‘Confidentiality’, ‘Integrity’, and ‘Availability’ actually mean in the context of protecting information. Confidentiality: “Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems.” (p. 13) Integrity: “Information has integrity when it is whole, complete, and uncorrupted.” (p. 13) Availability: “…enables authorized users – persons or computer systems – to access information without interference or obstruction and to receive it in the required format.” (p. 12) Having defined and analysed the underpinning attributes of Confidentiality, Integrity and Availability, it can thus be concluded that in the implementation of a sound security plan these attributes must be applied to every relevant area, taking into account states of transmission (is the information at rest, in transit or being processed?); how valuable the information asset is (intrinsic vs. imputed); the cost of its re- creation, and impact on the business if the information is compromised. The foundations regarding what a security strategy is actually designed to do having been
  • 4. Page 4 of 11 established, we will now expand on these concepts in order to understand how an organisation may implement an information security strategy with the intention of protecting its information. There is an argument that the ‘five pillar framework’ of Culture; Leadership; Alignment; Structure, and Systems (CLASS) as described by Drew and Kendrick (2006) form the foundation for successful risk management and governance strategy. The paper goes on to describe how and why each of these ‘pillars’ form a framework which makes it a valuable tool that can be applied to a whole organisation at a strategic, management or operational level; allows for the framework to include all types of controls (input, output, process, social, adaptive); and “… supports management and control of risks of many types and origins.” (p. 29). Though the standards, practices and methods variously used in creating a comprehensive ISS differ widely, a business- orientated approach of achieving their shared ultimate goal of protecting information whilst conducting business profitably will foster global efficiency and competitiveness of business, whilst safeguarding shareholders and stakeholders (Commission of the European Communities, 2003). Protecting information assets can be defined as the process of protecting information from a wide range of threats in order to ensure business continuity/disaster recovery; minimize business damage, and maximize return on investments. (International Organisation for Standardization, 2005). These processes and control mechanisms are defined in a number of very well known standards, such as ISO 27002; the Data Protection Act; the Sarbanes-Oxley Act and the Common Criteria for Information Technology Security Evaluation (CC), and as argued by Dresner & Wood (2007) may be viewed as the distilled best practice in managing specific risks. Compliance with these standards is expected to achieve predictable results, thereby reducing uncertainty that may result in loss of confidential/sensitive information; trust and confidence of the customer and monetary loss due to fraud, theft or financial penalties that may be imposed for non-compliance. Information security has become a complex arena to navigate, full of technological terms and standards, but the common goal of them all is to ensure that an organisation, its employees and customers are “…confident that the system meets a predefined level of security” (Freeman, 2007, p. 292 ) ensuring all possible steps are taken in order to meet the scope of the system and achieve the required level of assurance for the implemented information security standard or method. Oladimeji et al. (2006, p. 1) state that “At the organisational level an information security policy document is usually used as the foundation for a computer security program.” The paper goes on to say that a security policy defines what information needs to be protected; actions that the various people and processes are allowed to carry out on the information and how these permissions can be adapted. The application of these principles can be considered to be high level policy making, therefore policies for specific applications require refinement in order to be implemented. Having discussed the basic principles of Information Systems Security Strategy (ISSS), the next section will address and analyse the various techniques used within the ISSS domain. 3. Discussion It could be said that the primary function of an ISS within an organisation is to “minimize loss expectancy, or risk, by maximizing the efficiency of its mitigation efforts”. (Baker, 2007, p. 102). Put into ‘business speak’ this may be translated as seeing a Return of Investment (RoI) for any information security measures that are implemented, which would prompt board- level discussions around the question of how far an organisation is willing to go to mitigate risk, and if the financial cost of that mitigation is justified by the benefits. (Damianides, 2005).
  • 5. Page 5 of 11 In recent years, due to the “…devastating failures of governance at well known firms in North America, the UK and Europe” (Drew & Kendrick, 2005, p. 20) and the implementation of regulations and codes of conduct such as the US Sarbanes Oxley Act of 2002 and the Data Protection Act of 1998, the topics of corporate governance and risk management have risen in importance and find themselves high on the agenda for many senior executives and in the boardrooms of many organisations. Information security systems are not only important from a regulatory perspective, but as discussed by Knapp et al. (2007) it allows for information technology to assist in gaining advantages in the marketplace by enabling an organisation to ensure competitive advantages such as business continuity, increasing customer confidence and the mitigation of information leaks and disclosure threats or fines. Consequently, in order to mitigate risk an organisation must define and categorize what these risks are. Drew & Kendrick (2005, p. 22) state that “The different ways of defining, classifying, and measuring risk do matter, and are of more than academic concern.” For this reason, risk must be classified according to industry and the chosen strategy in order for them to be addressed appropriately. Analysing this further, first and foremost it is of vital importance that an ISS is implemented with the full support of organisational executives in order to obtain funding for an information security function. Indeed, this was raised as the top ranked issue in a survey of 874 information security professionals and business managers conducted by Knapp et al. (2007). One of the key points highlighted in this study was the need for effective communications between security professionals and managers in order for a comprehensive and coherent security plan to be put together, ensuring ‘buy-in’ from the board and for appropriate funding to be allocated for its development and implementation. Before a technical or in-depth security policy is drafted, a top level policy needs to be written and signed off by the CEO that states the board- level concerns of the organisation. The top level concerns could be sought by using the six simple questions of: when, what, where, why, who, and how, to help develop those ideas. Asking such questions as ‘what information needs to be protected?’; ‘why information security makes business sense?’; and ‘who is responsible for making the information secure?’ can then be used as a starting point from which a policy can be developed that addresses those areas effectively. (Kadam, 2007). Progressing from the stages of developing management ‘buy-in’ to implementation of an ISMS after approval has been granted, the general course that implementation of a strategy conforms to is through a process of information asset valuation and defining the scope of the ISMS; defining the risk assessment approach; identifying acceptable risks; ensure risk assessment methodology produces comparable and reproducible results; identify risks and analyse/evaluate them; identify treatment actions; implementing an ISMS after a Statement of Applicability (SoA) has been drafted and granted appropriate authorization; conducting an audit as required for compliance with a legislated act (eg. Sarbanes-Oxley), and finally reviewing/maintaining the ISMS. (British Standards Institution, 2005). The ‘Plan-Do- Check-Act’ model (Figure 2), as used in ISO 27001 can be seen to address these topics, is of an iterative nature and can be used as a method for constant information security improvement.
  • 6. Page 6 of 11 Figure 2: The ‘Plan-Do-Check-Act’ Model Source: http://27001.denialinfo.com, 2007 Having discussed the implementation stages of a security policy and seeing that a top level policy would be in place at this stage which would clearly demonstrate top level commitment and intent to implement an information security strategy, intent alone would not enough to develop a comprehensive policy. The next stage, then, would be to evaluate the organisation’s information assets and identification of the threats posed to them. (Kadam, 2007 and Poore, 2000). The overall purpose of this valuation exercise is to ensure that the controls implemented are appropriate, and that a sufficient budget has been allocated for information security. A simple method of determining the value of an entity is to establish how much the creation or acquisition of that information cost in the first instance, and how much it would cost to re-create if damaged or lost. Should this value differ markedly (with the cost of recreation being significantly, or prohibitively expensive) it can be argued that an initial higher value can be placed on the original asset, with the appropriate controls then applied to it. (Poore, 2000). Following on from the idea that a valuation exercise needs to be performed on all information assets, and referring back to the CIA Triad, Poore (2000) argues that the value of these assets can be said to hold a positive value when they are “… accurate, timely, useful, permitted and rare.” (p. 19). This positive value is compromised when the Confidentiality, Integrity, or Availability of information assets fail. An information security strategy must address these issues in order to mitigate the impact of any risk which causes any information asset to be lost, damaged or otherwise compromised. Another way at valuing information as an asset is to ascertain whether it has future benefit as something that could be sold, or shared for economic gain or gaining a strategic business advantage. One must be aware that most information changes value as it ages, and must be kept up-to-date and current to be at its most useful. The value of this information can be measured from the frequency of use or exchange - a value can then be designated to an information asset dependant on how much other organisations are willing to pay for it. Further to this, McCumber (2005) posits that information could be said to have a reduced value if it cannot be accessed and can become a significant liability in terms of the costs required to store and maintain it. When a valuation exercise has been conducted, in order for a security policy to address risk and impose relevant countermeasures or controls, a risk identification methodology must be employed in order to define the severity of the risk, impact, and likelihood of the risk occurring. This will allow the security strategist to apply the correct controls and then assess how the particular risk will be addressed. Also, the risk appetite of the organisation must be assessed in order to ensure a suitable risk treatment methodology is applied; employing one or more countermeasures to ensure risks are addressed appropriately either by prevention (stopping the realisation of the risk); reducing the effect when an identified risk occurs; transferring the risk to another entity; having a contingency plan in place if and when a risk occurs; or acceptance that even if an identified risk/threat occurs that the organisation can “live with it.” (Dresner & Wood, 2007 p. 303). Accordingly, a recognized basic model (Figure 3) for conducting a risk assessment follows the lines of valuing assets, as discussed; assessing threats and vulnerabilities; determining the risks; safeguarding the assets in some way and finally re-visiting the decisions made in order to continue the process and continually improve or update a security policy to reflect the changing requirements of legislation or a company’s own internal processes.
  • 7. Page 7 of 11 Figure 3: Basic Risk Assessment Process Source: McCumber, 2005 (p. 236) It follows that as part of the risk assessment process that risks must be logically categorized in order for them to properly be understood and remediated, or at least for the correct controls to be applied. One technique of categorizing risks are by their defining characteristics of being ‘known’; ‘unknown’, or ‘unknowable’ (Figure 4). Analysing this model we can see that well understood ‘known’ risks have a high chance of occurring time after time in risk assessments; ‘unknown’ risks are not included in a security policy due to the assessment lacking expertise, and ‘unknown/unknowable’ risks could not be reasonably predicted, even with a wide and experienced knowledge base. (Dresner & Wood, 2007). Though it would be possible to devote a lot of time to the classification and measurement of risk, Drew (2005) argues that this exercise be limited to only the extent that is required to energise a new strategy and gain commitment for senior management as the integration of this risk planning into a successful security policy requires a number of stages that allow for modification as work progresses. Figure 4: Risk Categorization Source: Dresner & Wood, 2007 (p. 303) The analysis of risk classification having been discussed, the nature of risks faced by an organisation must be defined in such a way that allows for the appropriate treatment to be applied should it occur. A ‘Probability’ versus ‘Consequences’ model enables risks to be classified according to the likelihood of them occurring and the impact caused by the event. This classification method then allows for the approach to risk management to change according to severity. Drew (2005) argues that low probability and low impact events could only require routine monitoring with little involvement from senior leadership or necessary cultural changes to the organisation, but low probability and high impact events would require an organisation to apply controls that allow for the continuity of business; recovery, or the use of backup systems; a high level of security awareness and training for staff, and attention to the structures and systems of the organisation. High probability but low impact events require that resources are made readily available for risk management with visible leadership commitment. High probability and high impact events - clearly being the most severe in this model - requires that applicable controls are put in place with some urgency in order to mitigate, or severely reduce the consequences of the risk
  • 8. Page 8 of 11 occurring. Considering this argument, one must also take into account the size of an organisation for which a security policy is being designed; a large company may have a framework that is complex and contains a large number advanced controls, while a smaller company could potentially rely on fewer, simpler controls. Once risks have been defined and categorized, it is necessary for a Risk Treatment Plan to be formulated, whereby a control is applied to each in order for them to be treated; reduced; transferred, or accepted and for these documented accordingly. One of the issues put forth in the previously mentioned study of business managers and information security professionals (Knapp et al., 2007) considers the domain of password management and excessive security measures being applied, whereby business managers (in general) valued productivity over information security and argue that overly stringent password policies can even decrease security. This decrease in security would be caused by employees being forced to use overly complex passwords for multiple applications and writing them down for fear of forgetting them. It would be necessary for a security plan to consider an issue such as this and either accept the risk (of passwords being written down, and therefore having a higher chance of being compromised), or otherwise treat or reduce it by perhaps changing the complexity of the password requirements as defined by policy. The production, implementation and categorization of risk having been thoroughly analysed, one must next consider the information management audit as a critical function in the life-cycle of a sound ISS and good corporate governance. An audit may be an internal function; required as part of a regulatory act (Sarbanes-Oxley, for example); or - as in the case of ISO 27001 – be required in order to be certified ‘compliant’ with a specific standard. As argued by Basset (2007), an effective audit “...can enhance the organisation’s security stance, further its mission, and act as a catalyst that promotes sound IT governance” and involves reviewing controls and compliance with policies to help an organisation monitor how they conduct business whilst protecting the company, its employees and customers. An audit also systematically validates the security, reliability, integrity and privacy of information systems in order to ensure that their activities are legal. (Carlin and Gallegos, 2007). The progression of an audit process usually follows several stages, and in ISO 27001 this is defined as a three-stage process: 1. A preliminary review, which will be an informal/internal review of the information security plan to check for completeness in key documents, such as the information security policy and Risk Treatment Plan. 2. A detailed (possibly formal) compliance audit - for example, in the pursuit of ISO 27001 compliance, qualified external auditors will gather evidence to confirm that the strategy has been properly designed, implemented and is in current operation. 3. Follow-up reviews to confirm that compliance is maintained. ISO 27001 requires that this process should happen annually, at a minimum, but can be conducted more frequently – if agreed by management – particularly whilst an ISMS is in its infancy and still maturing. Looking at this from a wider perspective, Carlin and Gallegos (2007) argue that an audit cycle consists of several phases that serve to define the scope of an audit and its objectives; evaluate internal controls; conduct compliance testing and finally report on detected weaknesses or failures within the system. Having looked at the various stages of an audit process, we must now look at how an audit might take place. This involves employing a systematic approach in order to test all of the relevant areas, also defined as conducting ‘fieldwork’ to test the controls. This can be done by using automated tools (programs such as Nmap, Snort and Nessus are commonly used programs within the information security domain) that respectively provide information about a
  • 9. Page 9 of 11 network such as the operating system being run, services that are being provided and the types of firewalls in place; intrusion detection, packet sniffing or logging and network traffic analysis; and network scanning to report and provide recommendations on devices identified as being vulnerable to attack or security breach. (Viljoen, 2008). Following on from the argument that an audit helps to validate an organisation’s security posture, Fitzgerald (2007) asserts that it is essential that audit issues are quickly and correctly analysed by IT management as the Confidentiality, Integrity and Availability of information is potentially compromised due to the failure of addressing the defined process because misguided investment is made in firewalls, anti-virus software, spam filtering and other technologies rather than effectively reviewing logs, reports, and the suggested remediation techniques of the tools already employed. 4. Issues within Information Systems Security It is apparent that for the wealth of literature, models, methods, and tools available to aid the implementation of information security strategies there are a multitude of conflicting arguments and ‘outdated’ ideas replaced by new and ever-changing regulations, techniques and standards. This is discussed by Mead et al. (2000) who debate whether or not the information security policy field is developing at a rapid enough pace, and whether it should be individual organisations, official Standards bodies, Governments, or other entities that are responsible for the establishment of security policy, and the pros and cons of these choices. Another question raised in the discussion asks if it is practical to have a universal, standardised approach that would satisfy everyone, and if it would be a viable alternative to the current situation whereby there are often multiple - and sometimes competing - standards. As well as the issues raised regarding where responsibility should lie for the implementation of security strategies, McCumber (2005) asserts that “all models have shortcomings” (p. 15) and goes on to state that just as maps are unable to provide details on traffic jams and that blueprints for buildings lack topographical detail, similarly it is impossible for any single model for information security planning to provide ‘security out-of-the-box’ due to various factors such as human error - or as detailed by Knapp et al. (2006) “User awareness training and education” issues; “Low funding and inadequate budgets”; and “Legal and regulatory issues” (Table 1, p. 101). The report continues to highlight that security professionals and business managers have differing opinions on what the most important issues are when addressing the security concerns of an organisation. This could be a result of differing focus for the two groups, with security professionals approaching things from a more technical direction - an area relatively invisible to business managers. Perhaps unsurprisingly though, the two groups had the issues of Confidentiality, Integrity and Availability (of information), and backup and recovery / business continuity as areas of common ground, as these may be considered critical issues and high on the list of any plan required to mitigate loss (financial or data) and justifying expenditure when viewed from either an IT security or business perspective. Other areas that must be weighted with increasing importance in the domain of information security strategy are the issues with an increasingly mobile workforce and associated security concerns that the use of smartphones, laptop computers and tablet devices. Consumerisation of these devices is well reported, and as reported in one study (Signorini and Hochmuth, 2010) 54% of business professionals use their personally purchased device, and 34% use non-approved applications such as Google Docs or Yahoo! Messenger for business-related activities. The report goes on to argue that the factors driving this trend are the proliferation and availability of smartphones and
  • 10. Page 10 of 11 tablets; easier integration of these devices into business applications and an increasingly blended work/home life. An organisation must find common ground whereby the user and the business gain benefit from this integration, whilst still remaining protecting sensitive data from being compromised. Despite reports such as these, the findings of Baker and Wallace (2007) indicate that the identification and tracking of remote connections into the enterprise (and potentially critical systems) are not generally highlighted as a significant source of risk and have sufficient security controls therefore applied. Therefore, it can be argued that some smartphone capabilities have legitimate business functions for mobile employees - for example, the integration of business e-mail into native mail applications, navigation/GPS and Instant Messenger – all of which are generally considered to be ‘personal’ features. However, each application should be individually evaluated to determine if they are harmful to the security of the organisation and whether a mobile device policy (as part of the ISS/ISMS) exclusively forbids the use of personal devices, or incorporates them into the organisation with the appropriate control mechanisms applied to ensure the security of any information that is accessed and then stored on these devices. 5. Conclusions With increasingly severe financial penalties, potential loss of earnings, and damage to the reputation of an organisation due to the loss or theft of sensitive information; non-compliance with legal standards; or breach of governmental legislation such as the Data Protection Act, it is of vital importance to a business that enough time, effort and budget is allocated to the design, implementation of and adherence to a sound security strategy that will do its best to protect the information assets of itself; its employees, customers and business partners. Information security professionals, IT staff and business managers must between them balance the requirements of a strong security strategy against allocated budget, doing the absolute maximum to ensure the protection of the organisation’s information assets whilst being reasonable about security-related expenditure in the pursuit of regulatory compliance and general good business practice in order to be profitable; ensure confidence in them by customers and partners; and see a positive RoI for the policies and measures that are implemented. Finally, due to the ever-changing and increasingly complex domain of information technology; escalating volumes of stored structured and unstructured information; and the numerous ways of accessing that data - be that via the traditional office computer, personal laptop, smartphone or tablet device – an organisation must employ a security strategy that is robust, yet flexible enough to incorporate new (and possibly as-yet undefined) regulations and legal requirements; identify, categorize and apply appropriate controls to emerging threats and risks, and be able to regularly review and amend policies in order for such changes to be documented and continuously be able to address them appropriately. References Baker, W. Et al. (2007), Necessary Measures: Metric-driven information security risk assessment and decision-making. Communications of the ACM. 50, 101-106, Association f or Computing Machinery . Baker, WH. & Wallace, L. (2007), ‘Is Information Security Under Control?: Investigating Quality in Information Security Management’, IEEE Security & Priv acy , Jan/Feb 2007, p. 36-44. Bassett, J. (2007), ‘Security in Management’s Terms.’ Available at: http://www.theiia.org/intAuditor/in-the-prof ession/2010/it- gov ernance/security -in-managements-terms/ [Accessed: 01 September 2011] British Standards Institution, (2005), BS ISO/IEC 27001:2005, Information technology – Security techniques – Information Security management systems – Requirements, BSI Carlin, A. & Gallegos, F. (2007), ‘IT Audit: A Critical Business Process’, IT Sy stems Perspectiv es, July , p. 87-88.
  • 11. Page 11 of 11 Commission of the European Communities, (2003), ‘Modernising Company Law and Enhancing Corporate Governance in the European Union – A Plan to Move Forward’, COM (2003), 284 f inal. Damianides, M (2005), Sarbanes-Oxley and IT Gov ernance: New Guidance on IT Control and Compliance. Inf ormation Sy stems Management. (Winter) p. 77-85. Def ense.gov News Transcript: DoD News Brief ing - Secretary Rumsf eld and Gen. My ers. 2002. [Online] Av ailable at: http://www.def ense.gov /transcripts/transcript.aspx?transcriptid=2636. [Accessed: 03 August 2011] Dresner, DG. & Wood, JR. (2007), ‘Operational risk: acceptability criteria.’ Third International Sy mposium of Inf ormation Assurance and Security . p. 301-306. IEEE Computer Society . Drew, SA. & Kendrick, T. (2005). ‘Risk management: the f iv e pillars of corporate gov ernance’, Journal of General Management. 31 (2) p. 19- 36. Drew, SA., Kelley , PC. & Kendrick, T (2006), ‘Five elements of corporate governance to manage strategic risk’, Business Horizons, (49), p. 127-138. Fitzgerald, T. (2007) ‘Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other’, Inf ormation Sy stems Security , 16, p. 257-263. Freeman, E. (2007) ‘Holistic Information Security: IS0 27001 and Due Care’, Inf ormation Sy stems Security , 16, p. 291-294. International Organisation f or Standardization. (2005), ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management. (ISO). Kadam, AW. (2007) ‘Information Security Policy Development and Implementation’, Inf ormation Sy stems Security , 16, p.246-256. Knapp, K. Et al. (2007), ‘Do Information Security Professionals and Business Managers View Information Security Issues Differently?’, Inf ormation Sy stems Security 16, 100-108. Knapp, K., Marshall, T.E., Rainer, R., Kelly , JR., and Morrow, D. (2006), ‘The Top Information Security Issues: What Can Government Do to Help?’, Inf ormation Sy stems Security , September/October, p.51-58. McCumber, J. (2005), ‘Assessing and Managing Security Risk in IT Systems.’ USA: CRC Press LLC Mead et al. (2000), ‘Information Security Policy’ Roundtable, IEEE Sof tware, Sep/Oct, p. 26-32. Oladimeji, E. Et al. (2006), Representing Security Goals, Policies, and Objects. In Proc. of the 5th IEEE/ACIS International Conference on Computer and Information Science (ICIS’06), July 2006. Poore, RS. (2000), ‘Valuing Information Assets for Security Risk Management’, Inf ormation Sy stems Security , Sep/Oct p. 17-23. Vera, C. blog.sucuri.net (2010), The Mission of Security Awareness [Online] Av ailable at: http://blog.sucuri.net/2010/06/the-mission-of - security -awareness.html [Accessed: 18 August 2011] Viljoen, M. (2008), A Framework Towards Effective Control in Information Security Governance. Unpublished M Tech IT thesis. Nelson Mandela Metropolitan University Whitman, ME. & Mattord, HJ. (2011), ‘Principles of Information Security.’ Google Books. [Online] Av ailable at: ttp://books.google.com/books?id=L3LtJAxcsmMC&printsec=f rontcove r&source=gbs_ge_summary _r&cad=0#v =onepage&q&f =f alse (Accessed: 01 September 2011) Yankee Group Research, Inc. (2010), ’Consumerization of the Mobile Enterprise’, , Boston, MA: Yankee Group.