Information Security from a Business Perspective
It must be designed and implemented as a core ingredient of the business strategy
Feb. 9, 2011 06:00 AM
As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the "preservation of confidentiality, integrity and availability of information."  Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.
Historically, information security has been addressed primarily as a technical issue. Preventive controls, such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls, such as intrusion detection systems or security monitoring platforms, have formed the basic components of security architecture. Often, the technical controls are complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.
This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems remain unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management. The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.
Information Security Defined
Providing services to the public also has societal and political facets. Businesses must adhere to a governmental regulatory and legal framework. The provision of secure and fair outlets to citizens is a matter of social responsibility. Moreover, the government is a shareholder of business (directly or indirectly through taxing); thus, business success affects the corresponding governmental revenue.
The aforementioned facts are clarified in relation to information security when the drivers of shareholders' trust are studied in more detail. For example:
In relation to the business role of information security, drivers should be:
. Corporate viability, which is driven by compliance of license terms
. Competitive advantage, which ensures customer acquisition
. Brand name value preservation, which ensures customer retention
. Legal and regulatory compliance (e.g., the integrity of financial records and PII protection)
- Customers' trust:
. Business integrity
. Service availability
. Protection of the confidentiality of customers' sensitive information
Using this definition of information security for the business sector, a holistic approach is required for addressing the information security requirements of each unique organisation. This requires a detailed business analysis for embedding information security into the specific business processes and also for addressing the human factor and minimizing the uncertainty it introduces. International security standards provide a solid base for information security from a business perspective.
THE INFORMATION SECURITY STANDARDS LANDSCAPE
The Security Control Standard (SCS) is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO), which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.
ISACA has published a set of information technology (IT) auditing standards and the Risk IT: Based on COBIT framework, which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT, a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security, the first publication released under the Business Model for Information Security (BMIS), which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.
Other standards include the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST), which are documents of general interest to the computer security community. The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.
The modern business sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.
Case Example from the World Lottery Association
To become an online participant in lotteries and other gaming sites an individual must disclose their sensitive details; this is very often the only means by which one can become a ‘player'. Being able to trust a lottery or gaming site with sensitive details should, therefore, be the foremost concern of a player as there is little point in worrying about payout procedure when compromised details could mean a bigger loss than any potential gain.
The WLA's Security Control Standard takes the above factors into consideration- perfectly illustrating how the security of data can be adapted to a unique business situation.
The business must answer a number of questions to calculate the impact of security breaches, including:
- How much would this cost the business in monetary terms?
- What would be the indirect costs (e.g., from reputation loss) if information is sold?
- What would the legal implications be?
Business processes are then prioritized based on an impact scale that identifies the most critical issues.
- Are there technical controls in place to safeguard customer data?
- Do procedures exist to complement the technical security controls?
Business Model for Information Security
The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security) are necessary for understanding how BMIS works:
To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology.
Reader Feedback: Page 1 of 1
SOA World Latest Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week