Presentation on theme: "Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU"— Presentation transcript:
Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU
Cases and vignettes The chip theft case Purchasing manager with access to data entry and store accounting systems Would steal chips and smuggle them out of factory premises Management response was to establish access control and physically search everybody leaving premises Boyd Gaming Sunrise Hospital Eagle Star Insurance Other published cases: Kidder Peabody; Daiwa Bank; Barings Bank
A point to note “Perpetrators usually stick to the easiest and the least expensive methods to breach security” – Donn Parker (various: )
Three architectures and beyond Model of reality Conceptual level Technological Model Technology level Implementation Model Physical level ? Technical security Physical security ????
P Planning for IS Security Corporate plan and existence of a security vision Quality of operations Security policy as it relates to the operations Existence of a security evaluation method E Evaluation of IS Security Security evaluation linked to nature of organization (networked, hierarchical, power distance etc) Security measures contextualized for a particular situation (typically Checklist, RA …) Stakeholder analysis for security D Design considerations for IS security Interpreting the design ideal Correctness in system specification Integrity of controls (F/I/T) I Implementation aspects of IS security ‘Informal’ considerations before formal Situation issue centered approach in implementation Communication between ‘experts’ and managers
EagleI SunriseH BoydG SamsHR PEDIPEDI Business processes not designed – questions About integrity of data & responsibility of people No stakeholder analysis done resulting in limited understanding of authority structures and therefore confidentiality Security was not even considered to be an issue. Correctness of design and and consequences of errors ignored or overlooked Analysis of communication patterns ignored. Over generalized assumptions of implementation were considered Technological fix sought. No one considered the process aspects. Lack of integrity of organization structures In built security mechanisms in the s/w were considered sufficient Checklist followed in evaluating controls No analysis or design undertaken Security was an afterthought at best Lack of communication among staff Low trust levels since authority structures not defined Broken processes. Security implications of client server apps not considered. Members of co. did not even know if a security policy existed Not even conventional security evaluation done – RA, checklists. Authority structures ill defined. Traditional trust bet. dept. being broken Not much. Needs assessment was limited. It was thought that C/S was a mature technology so no need to consider process/user issues It was more of a technical implementation and consultants were given the charge. Access rights determined but no corresponding resp st. Competence to handle secure personal information questionable Inadequate training Conflicting purpose of the IT system. Lack of understanding of procedures and related security policy. Policy ill defined HR systems not considered ‘strategic’ hence lack of evaluation. Security is a major concern elsewhere in the co Since it was just a s/w – design issues were not considered to be important “People will learn”
Confidentiality of data Integrity of data Availability of data Responsibility of people Integrity of roles Trustworthiness of people ‘Ethicality’ of people ‘Surface structural’ IS security issues ‘Deep structural’ IS security issues IS Security in Organizations
IS Security in organizations = CIA + RITE My original argument: To resolve the problem of managing IS security, we need to understand the deep-seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.
What competencies do you need to manage IS security?
Competence categories IS Security Organizational PersonalTechnological
Organizational Competencies Create Adequate Business Processes Clearly Define Roles Recognize the Importance and Scope of IS Security Concerns Identify Internal Threats to IS Security Develop IS security Processes Implement IS security Policies Maintain Policy Flexibility Regulate the Flow of Information Communicate the Necessity for IS Security Procedures Facilitate Informal Communication About IS Security Monitor Adequately The Competency to:
Personal Competencies Lead and Influence Others Awareness Continuing Personal Development Work in Teams Maintain Ethical Behaviors and Engender Loyalty Maintain Good Hiring Practices The Competency to:
Technological Competencies The Competency to Sustain Technical Expertise The Competency to Synthesize Technical and Business Knowledge The Competency to:
CIA Confidentiality Integrity Availability RITE Reliability Integrity Trust Ethicality COMPETENCIES Organizational Personal Technological PRINCIPLES