Anene L. Nnolim, Annette L. Steenkamp
College of Management Lawrence Technological University
Abstract This paper reports on part of a doctoral dissertation research project in information security management. The intent of this research is to attempt to determine how information security management could be enhanced as a structured and repeatable management process, and to develop an appropriate architectural framework and methodology that could enable integration of information security management with enterprise life cycle processes. Over the years, the focus of information security has evolved from the physical security of computer centers to securing information technology systems and networks, to securing business information systems. The proliferation of computer networks and the advent of the Internet added another dimension to information security. With the Internet, computers can communicate and share information with other computers outside an organization’s networks and beyond their computer center. This new mode of communication meant that the existing security model was inadequate to meet the threats and challenges inherent in this new technology infrastructure. A new model of information security management is needed to meet the security challenges presented in this new environment. This has motivated the focal area of this research in information security management. Part of meeting this new challenge could also include the resurrection of risk as an important component of information security management. The results of this research would be important to any organization with a need for a secure business environment. The research results will also be important to individuals responsible for managing information security in their organizations, as well as to senior executives and members of corporate boards of directors, because of their increased statutory responsibilities to secure various types of information in their organizations. From the results of the research so far, the information security management viewpoint calls for a phased approach with iterative process models that include several elements, supporting methods and specific outputs. The viewpoint should also include an integrated process improvement model, with supporting methodology. Currently, the main doctoral research is in the “demonstration of concept” stage. In this stage, the conceptual model will be validated in terms of the stated research problem. Potential outcomes and value of validation of the research proposition could be an approach to implementing an information security management system. This would include an
In Proceedings of the 6th Annual ISOnEworld Conference, April 11-13, 2007, Las Vegas, NV www.isoneworld.org
Pg 2-2 information security policy framework, a methodology, and a supporting process model that is regarded as essential to managing information security in the enterprise. Key words: Information security management, information security architecture, security policy, security process improvement, information security viewpoint, risk management. Evolution of Computer Security Strategies Before computer security evolved into the many dimensional fields of today, the primary security focus of most organizations was in providing physical security to their assets. For organizations with early computers, this included securing and protecting data from natural disasters or malicious activities. With the advent of the personal computer, it was inevitable that security objectives would eventually include computer security. Up to the early 1980’s when computers were used simply as business tools to automate business processes, the focus of computer security objective was securing computer centers since most computers were located in computer centers. The security strategy was mainly accomplished through physical security (Vermeulen and Von Solms, 2002). Up to...