Principles of Information System Security: Text and Cases Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

Principles of Information System Security: Text and Cases Chapter Seven Planning for Information System Security

Copyright 2006 John Wiley & Sons, Inc. Learning Objectives Clarify misconceptions about security policies Realize the position of policies with respect to strategies and corporate plans Differentiate the three classes of IS security decisions Understand the four core IS planning prinples Copyright 2006 John Wiley & Sons, Inc.

Security Strategy Levels Strategy refers to managerial processes Policy refers to contingent decisions Programme is about a time-phased action sequence Operating procedure is used for repetitive actions with predetermined outcome Copyright 2006 John Wiley & Sons, Inc.

Security Strategy Levels Figure 7.1 Copyright 2006 John Wiley & Sons, Inc.

Security Strategy Levels (cont’d) Corporate security strategy determines key decisions regarding investment, divestment, diversification, and integration of computing resources Business security strategy looks into the threats and weaknesses of the IT infrastructure Operational security strategy provides detailed deployment of the procedures Copyright 2006 John Wiley & Sons, Inc.

Security Strategy Levels (cont’d) “good managers don’t make policy decisions” Develop a broad security vision that brings the issue of security to the centre stage and binds it to the organizational objectives Traditional security policy lacks consistency with the organizational purpose Copyright 2006 John Wiley & Sons, Inc.

Classes of Security Decisions in Firms, Table 7.1 Copyright 2006 John Wiley & Sons, Inc.

Classes of Security Decisions in Firms, Table 7.1 (cont’d) Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Strategic Decisions Choose the right kind of environment War environment – physical security Bribery is common – undermine control structures Relate to the nature and scope of a firm’s relationship to other firms and contexts US based firm – Sarbanses-Oxley Act Copyright 2006 John Wiley & Sons, Inc.

Strategic Decisions (cont’d) Are investments in security products and services paying off? Both security investments and breaches are up Security investment may be in the wrong places The benefits of security investment may be intangible Copyright 2006 John Wiley & Sons, Inc.

Strategic Decisions (cont’d) Key decisions about security objectives should be identified Setting security objectives and goals Resource allocation for security strategy Infrastructure expansion strategy Research and development for future operations Copyright 2006 John Wiley & Sons, Inc.

Double Loop Learning, Figure 7.2 Copyright 2006 John Wiley & Sons, Inc.

Double Loop Security Design Process, Figure 7.3 Copyright 2006 John Wiley & Sons, Inc.

Administrative Decisions Create adequate structures and processes to realize adequate information handling Is beyond the realm of traditional IS security Increasingly becoming more central to planning and organizing for security Copyright 2006 John Wiley & Sons, Inc.

Administrative Decisions (cont’d) Organizational Structure of information flows Authority and responsibility structures Structure of resource conversions Establishing high integrity business processes Resource acquisition Financing security operations Return on security investments Facility management Copyright 2006 John Wiley & Sons, Inc.

Operational Decisions Optimize work patterns for efficiency gains Ensure business process integrity Schedule resource application Supervision and control Copyright 2006 John Wiley & Sons, Inc.

Operational Decisions (Cont’d) Identifying operating objectives and goals Costing security initiatives Operational control strategies Policies and operating procedures for various functions R=P*C (R is risk, P is probability, C is cost) Copyright 2006 John Wiley & Sons, Inc.

Prioritizing Decisions Identify a broad range of objectives for IS security Objectives can be classified into fundamental and means Objectives are hard to rank, and context specific Copyright 2006 John Wiley & Sons, Inc.

A Network of IS Security Means and Fundamental Objectives, Figure 7.4 Copyright 2006 John Wiley & Sons, Inc.

Security Planning Process Systematically identify and address a range of performance gaps Build proper security into the organization Involve stakeholder Understand what stakeholders want Copyright 2006 John Wiley & Sons, Inc.

Security Planning Process (cont’d) Peter Checkland’s Soft System Methodology (SSM) Ideal situation (systems thinking) Real world situation (real world thinking) Compare the conceptual models with the problem situation The application is iterative, not always sequential Copyright 2006 John Wiley & Sons, Inc.

Orion Security Strategy Model SSM is used to manage IS security in a healthcare environment Users feel responsible for IS security in their given work area It offers an opportunity to tap into the knowledge of the users It increases awareness of the range of security issues among co workers Security is integrated into the organizational mindset Copyright 2006 John Wiley & Sons, Inc.

A High Level View of the Orion Strategy, Figure 7.5 Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process It is conceptualized at two planes of reality Level 1: This is the physical world, where all actions and processes can be seen and measured Level 2: This is the abstract or the conceptual level. Idealized processes and work situations exist at this level Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) It has seven steps Activity 1: Acknowledgement of possible security vulnerability Collect perceptions of the problem situation No analysis is undertaken per se Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 2: Identify risks and current security situation Draw a detailed picture of the current situation Focus on the existing structures and processes Review security reports Study outcomes of traditional risk analysis Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 3: Identifying the ideal security situation Develop hypothesis concerning the nature and scope of improvements Stakeholders participate to identify both ‘feasible’ and ‘desirable’ options It is rooted in the ideal world Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 4: Model ideal information systems security A conceptual modeling step Define performance measures Monitor activities in accordance with the defined metrics Take control actions Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 5: Comparison of ideal with current Conceptual model as a base for structured questioning Comparing history with model prediction General overall comparison Model overlay May lead to multiple reiterations of activities 3 and 4 Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 6: Identify and analyze measures to fill gaps Review a wider context of the problem domain for possible alternative solutions Make sure no alternatives are dismissed Copyright 2006 John Wiley & Sons, Inc.

Orion Strategy Process (cont’d) Activity 7: Establish and implement security plan Consider recommendations developed in Activity 6 and formulate solutions Devise an implementation plan Identify detailed tasks Establish criteria to subsequently measure success Copyright 2006 John Wiley & Sons, Inc.

IS Security Planning Process Framework, Figure 7.6 Copyright 2006 John Wiley & Sons, Inc.

IS Security Planning Principles 1. A well conceived corporate plan establishes a basis for developing a security vision Objective is for the smooth running of the business Proper organizational and contextual analysis IS security on centre stage Copyright 2006 John Wiley & Sons, Inc.

IS Security Planning Principles (cont’d) 2. A secure organization lays emphasis on the quality of its operations Considering threats and countermeasures is not enough Quality is an elusive phenomenon ‘rationalist approaches’ are a serious security concern Copyright 2006 John Wiley & Sons, Inc.

IS Security Planning Principles (cont’d) 3. A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document Corporate planning should recognize secure information systems as an enabler of businesses Responsibilities for development should be delegated to the lowest appropriate level Copyright 2006 John Wiley & Sons, Inc.

IS Security Planning Principles (cont’d) 4. Information system security is of significance if there is a concurrent security evaluation procedure Check deviance of specific responses for particular actions Quality, performance, and security is defined in terms of conformity to auditable process Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.