An Approach to Information Security Management

Topics: Information security, Security, Management Pages: 12 (3783 words) Published: August 22, 2011
An Approach to Information Security Management

Anene L. Nnolim, Annette L. Steenkamp
College of Management Lawrence Technological University

Abstract This paper reports on part of a doctoral dissertation research project in information security management. The intent of this research is to attempt to determine how information security management could be enhanced as a structured and repeatable management process, and to develop an appropriate architectural framework and methodology that could enable integration of information security management with enterprise life cycle processes. Over the years, the focus of information security has evolved from the physical security of computer centers to securing information technology systems and networks, to securing business information systems. The proliferation of computer networks and the advent of the Internet added another dimension to information security. With the Internet, computers can communicate and share information with other computers outside an organization’s networks and beyond their computer center. This new mode of communication meant that the existing security model was inadequate to meet the threats and challenges inherent in this new technology infrastructure. A new model of information security management is needed to meet the security challenges presented in this new environment. This has motivated the focal area of this research in information security management. Part of meeting this new challenge could also include the resurrection of risk as an important component of information security management. The results of this research would be important to any organization with a need for a secure business environment. The research results will also be important to individuals responsible for managing information security in their organizations, as well as to senior executives and members of corporate boards of directors, because of their increased statutory responsibilities to secure various types of information in their organizations. From the results of the research so far, the information security management viewpoint calls for a phased approach with iterative process models that include several elements, supporting methods and specific outputs. The viewpoint should also include an integrated process improvement model, with supporting methodology. Currently, the main doctoral research is in the “demonstration of concept” stage. In this stage, the conceptual model will be validated in terms of the stated research problem. Potential outcomes and value of validation of the research proposition could be an approach to implementing an information security management system. This would include an

In Proceedings of the 6th Annual ISOnEworld Conference, April 11-13, 2007, Las Vegas, NV www.isoneworld.org

Pg 2-2 information security policy framework, a methodology, and a supporting process model that is regarded as essential to managing information security in the enterprise. Key words: Information security management, information security architecture, security policy, security process improvement, information security viewpoint, risk management. Evolution of Computer Security Strategies Before computer security evolved into the many dimensional fields of today, the primary security focus of most organizations was in providing physical security to their assets. For organizations with early computers, this included securing and protecting data from natural disasters or malicious activities. With the advent of the personal computer, it was inevitable that security objectives would eventually include computer security. Up to the early 1980’s when computers were used simply as business tools to automate business processes, the focus of computer security objective was securing computer centers since most computers were located in computer centers. The security strategy was mainly accomplished through physical security (Vermeulen and Von Solms, 2002). Up to...

References: Belsis, P., Kokolakis, S., & Kiountouzis, E. (2005), Information systems security from a knowledge management perspective, Information Management& Computer Security, Volume 13, Number 3, 189-202. Besnard, D., & Arief, B. (2004), Computer security impaired by legitimate users, Computers & Security, Volume 23, 253-264. Botha, J., & von Solms, R. (2004), A cyclic approach to business continuity planning, Information Management & Computer Security, Volume 12, Number 4, 328-337. Creswell, J. W. (2003), Research Design: Qualitative, Quantitative, and Mixed Methods Approaches, 2nd.Edition, Sage Publications, London. Doherty, N. F., & Fulford, H. (2006), Aligning information security policy with the strategic information systems plan, Computers & Security, Volume 25, 55-63. Heng, G. M. (1996), Developing a suitable business continuity planning methodology, Information Management & Computer Security, Volume 4, Number 2, 11-13. Eloff, J., & Eloff, M. (2003), Information security management – a new paradigm, Proceedings of the 2003 annual research conference of the South African Institute of Computer Scientists and Information Technologists on enablement through technology SAICSIT, 130-136. Geffert, B. T. (2004), Incorporating HIPAA security requirements into an enterprise security program, Information Systems Security, November/December, Volume 13, Issue 5, 21-28. Gerber, M., & von Solms, R. (2001), From risk analysis to security requirements, Computers & Security, Volume 20, 577-584. ISO/IEC 17799 (2000), Information Technology – Code of Practice for Information Security Management. Sarbanes-Oxley (2002), Sarbanes-Oxley Act of 2002. Slewe, T., & Hoogenboom, M. (2004), Who will rob you on the digital highway? Communications of the ACM, Volume 47, Number 5, May 2004, 56-60. The Open Group (2006), The Open Group Architecture Framework (TOGAF), Version 8.1, Enterprise Edition The Open Group, San Francisco. Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, (2006), Formulating information systems risk management strategies through cultural theory, Information Management & Computer Security, Volume 14, Number 3, 198-217. Vermeulen, C., & Von Solms, R. (2002), The information security management toolbox – taking the pain out of security management, Information Management and Computer Security, Volume 10, Number 3, 119-125.
Anene L. Nnolim Anene is a Doctoral Candidate for the degree of Doctor of Management in Information Technology (DMIT) at Lawrence Technological University in Southfield, Michigan. He holds a bachelor’s degree in business from State University of New York, Buffalo, and an
In Proceedings of the 6th Annual ISOnEworld Conference, April 11-13, 2007, Las Vegas, NV www.isoneworld.org
Pg 2-9 MBA from Stephen F. Austin State University, Nacogdoches, Texas. He has a Human Resources Management Certificate from University of Guelph in Ontario, Canada. He is a certified Project Management Professional (PMP). Currently, he is the principal consultant at InfoTSG, Inc. (www.infotsg.com), an IT services consulting company with interests in business process management and information security management. His professional experience includes several years of management and leadership positions in government, telecommunications, and IT industries in Canada and U.S. He is an Adjunct Professor in business process management at Lawrence Technological University, and On-Line faculty at the University of Phoenix, teaching IT, management, and business courses. Annette Lerine Steenkamp Annette Lerine Steenkamp is Program Director of the Doctoral Program in Management of Information Technology and Professor in Computer and Information Systems in the College of Graduate Management at the Lawrence Technological University, Southfield, Michigan. She holds a PhD in Computer Science, with specialization in Software Engineering. Dr. Steenkamp 's research interest is in approaches to information technology process improvement, enterprise architecture and knowledge management. Current research is concerned with the application of CMMI in the education sector, redesign of organization processes for mobile technology adoption, knowledge management frameworks, alignment of IT and organization strategies, and systems integration.
In Proceedings of the 6th Annual ISOnEworld Conference, April 11-13, 2007, Las Vegas, NV www.isoneworld.org
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Comparisons of Information Security Management Frameworks Essay
  • quantitative approach in management Essay
  • Essay on information security management
  • Main Purpose of security management Essay
  • approach management Essay
  • Management Information Systems Essay
  • Information Security Risk Analysis and Management Essay
  • Information Management Essay

Become a StudyMode Member

Sign Up - It's Free