The technological explosion is nowadays forcing organizations to change their structures and ways of operating. The use of Information and Communication Technologies (ICT), their role and importance are increasing daily. Technology is becoming the main factor for productivity growth and the competitiveness of organizations, and it often also allows effective cost reductions. An organization’s communication center and information systems have thus become increasingly important as they are increasingly depended upon. A malfunction of the ICT infrastructure can paralyse the whole organization and might have disastrous consequences for the company at many levels (financial, reputational, etc.).
The risk of paralysis could be even more critical for companies whose principal asset and added value is information. A typical highly vulnerable sector for such risks is, for example, the services sector. Security issues within an organization must therefore be treated as a priority at top managerial level.
On the other hand, and based on new ways of operating businesses, modern organizations collaborate increasingly with other organizations, their costumers, and other stakeholders by technological means. This emphasises the need for a reliable and secure ICT infrastructure. The organization, and more specifically its information systems, will operate within an open and hostile environment. The organization thus has to deal with two contradictory objectives that have opposite impacts on information security.
• The first is the need to remain competitive, which obliges the organization to adopt a structure based on extensive communication.
• The second is the trust the organization has to inspire in its stakeholders, which requires a more restrictive environment, the environment associated with extensive communications not being fully compatible with the security instinct.
At first sight it seems that there is a contradiction between these two objectives and so a prioritization analysis should be performed in order to obtain the best compromise. Operating within an open environment introduces new risks that are less significant than those introduced in a restrictive environment; in our view it is preferable to accept, and make appropriate efforts to mitigate, the ICT risks ensuing from the extensive communication structure.
In order to remain secure, the organization has to choose between the different techniques of controlling risk, such as preventive, deterrent and reactive means. Often all these means are interrelated and should be performed together in order to provide a reasonable level of security. The use of the term “reasonable level,” in a context where a “definitive level” would not be realistic, brings with it the necessity for the consideration of
• a frame of reference for determining the meaning of the “level”; and
• measures of effectiveness and efficiency related to the “reasonable” property of the level.
A security evaluation (or assessment) framework should be developed in order to manage and maintain such a “reasonable level.” The way of evaluating or assessing will be strongly related to two main features:
• The purpose of the evaluation (i.e. compliance, risk, certification, technical requirements, management issues etc.);
• The entity in charge of the evaluation and its finality (external evaluation, internal evaluation).
The top level of management must deal with information security management by considering it as a key part of their duties in running the organization, and one that increases the complexity of decision-making. Multiple strategic decisions concerning information security have to be taken at top management level in order to assess how many resources one has to allocate, which are the risks that the organization is ready and prepared to accept, which are the security needs of the organization, and so on. At the same time it is difficult to assess and evaluate the effectiveness of organizations’ security installations. For that purpose, a governance approach in general, and more specifically the use of metrics to evaluate the effectiveness and efficiency of information security measures, are of the utmost importance for the organizations’ management.
Before presenting the evaluation structure and process, we will briefly summarise, in the following chapter, some fundamental principles related to information security and to risk and security management.
A governance perspective on information security
Information and Communication Technologies (ICT) security considers the security of information from a technological perspective, while information security is a wider concept that considers all aspects of information, independently of the medium, as well as the handling of information. The concept of information security includes all the disciplines related to ICT security, such as network security, application security, physical security and logical security, as well as the business view. To improve the quality of the protection of the information infrastructure, these two concepts are covered within this book under the general label of information security.
From definition to interpretation
The European Network and Information Security Agency (ENISA) considers information security to be the means of providing the basis for operating in today’s increasingly interconnected and technologically complex world. In ENISA’s definition, the purpose of information security is defined by its focus on the way it operates within businesses. This way of considering information security fully corresponds with the idea, frequently noted in the academic literature, that nowadays information security is more often a proactive activity driven by business leadership than a technology-driven function. From this perspective, the activities of the information security function should be the result of a group of requirements that are defined by the highest levels of the organization, since these levels are responsible for the continued existence of the organization. Information security is increasingly considered as a critical business function that keeps an organization and its critical assets secure in times of rapid expansion.
Information security management is used to protect assets and mitigate risks by applying and combining security technology and management practices. Information Security countermeasures are the direct response to the risks an organization probably could face.
The perspective of the standards
From a review of well-recognized and widely shared international standards, several different perspectives are taken into account in defining the concept of Information Security.
ISO/IEC 13335-1:20043 defines information security as being the preservation of the confidentiality, integrity and availability of information; these are also seen as the security objectives.
Information security appears to be, in this context, an operational function related to some well-defined and specific objectives such as those mentioned above. At the same time, standards related to risk management consider information security to be the means of protecting information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, inaccessibility, damage and civil or legal liability, as shown in ISO/IEC 27002:20055 defines information security as a process for protecting information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities by preserving the confidentiality, integrity and availability of information. As in the ENISA definition, the focus of the information security function still remains “business prosperity,” modelled by the three above-mentioned security objectives. Loss of productivity, of revenue, or of reputation, or legal penalties, could result from ICT related risks. The information security function becomes a business function akin to the other, traditional, business functions, meaning that supplementary added value could be provided if the information security function is operated in an “adequate manner”. The Return on Investment (RoI), as well as the adequacy of the information security function, brings into focus the necessity of managing such domains as business functions.
The management process in its general sense addresses short-term issues related to the availability of budgets and resources or, more generally, creates conditions allowing activities to be performed as smoothly as planned. This means that all the ongoing processes, including the security measures, practices, procedures and activities, require the efficient use of the resources provided. In this sense, information security should provide the expected results based on the requirements that were derived from an in-depth analysis performed by the organization’s senior management. In addition to effectiveness, the information security function should ensure the efficiency of its activities, considering them from an economic perspective. In order to do this, an approach based on management and control is needed, in order to ensure that the security requirements are addressed and excepted results are achieved; this is the main concern of a security governance function. Handling information security as a corporate governance issue can be seen as a natural evolution of the way that institutions manage ICT related threats and risks. In addition to the technical, managerial and regulatory compliance issues, information security is nowadays a strategic issue with which executives have to deal.
A business and organizational perspective
As time passes and organizations mature, the closer information security moves to the business functions and the more the effectiveness of information security depends on the way that this function is managed and controlled. Based on this, and given also the fact that in these circumstances technological knowledge and expertise in the provision of security solutions will have reached a high level, the remaining issues do not concern the level of technology but rather the way that technological opportunities are utilized in order to meet security objectives. In other words, the main concern regarding the level of protection of the organizational assets is the way that security is managed and how that could contribute to fostering trust in ICT environments. Trust is directly related to the level of information security and its effectiveness.
Information security life cycle
Information security can be broken down into three kinds of components:
• Information security requirements, representing the security goals;
• Information security policy, representing the steps to be undertaken in order to ensure an adequate level of security protection;
• Information security mechanism, representing the tools (technical, operational and managerial) to be used in order to enforce policy.
These components, grouped in a managerial framework, should contribute to mastering the information security lifecycle, to handling crisis recovery situations, and to protecting the information systems and making them operate as expected. Information security has become a necessary condition to ensure that everything goes as smoothly as planned in respect of Information Technology-related activities. As a result, the information security function is itself entrusted with another responsibility alongside the objective of moving organizational values out of danger: that of responsibility for the quality of the end result. This is the main reason why security increasingly tends to be a business process and why it is important to stress the importance of the management and governance processes of security with respect to the overall organization.
Information management framework and processes
Security management is a framework composed of a number of processes concerned with planning and managing a defined level of security. It has become the cornerstone of the effectiveness of the security program because the security focus itself has changed from a technical one (based on technical risks) to a governance approach.
Three sub-activities of the information security management can be distinguished:
• The implementation of the operational security measures;
• The information security plan, which covers the specific Service Level Agreements (SLAs) for information security representing the security goals to be achieved based on the security needs;
• The information security controls which consider information security as a process and address issues such as responsibility and policy statements.
Very often the drivers of internal information security are security incidents, relevant laws and regulations, and specific client requirements. This promotes a reactive approach to information security that is mostly focused on problem solving rather than on proactive activities. A proactive attitude would emphasise the efficiency and effectiveness of security measures by taking into account first the specific security needs that are derived from the various security constraints, both technical and economic. It should not be forgotten that technology still impacts Information security in three ways, by:
• Introducing new vulnerabilities;
• Changing the way the business is done;
• Changing the way the workplace is organized.
Furthermore, mastery of the technological issues has reached a high level, especially through the availability of relevant information, so that security breaches are often directly linked to the implementation and understanding of systems. This statement reinforces the idea that information security effectiveness relies mainly on the quality of controls in place, their implementation and management. Information security is a managerial issue rather than a technical one.
Extracted from Information Security Evaluation
Written by Igli Tashi and Solange Ghernaouti-Hélie
Published by The EPFL Press