Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU

Published byMaximo Hurley Modified over 9 years ago

Similar presentations

Presentation on theme: "Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU"— Presentation transcript:

1 Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU gdhillon@vcu.edu

2 Cases and vignettes The chip theft case Purchasing manager with access to data entry and store accounting systems Would steal chips and smuggle them out of factory premises Management response was to establish access control and physically search everybody leaving premises Boyd Gaming Sunrise Hospital Eagle Star Insurance Other published cases: Kidder Peabody; Daiwa Bank; Barings Bank

3 A point to note “Perpetrators usually stick to the easiest and the least expensive methods to breach security” – Donn Parker (various: 1989-1998)

4 Three architectures and beyond Model of reality Conceptual level Technological Model Technology level Implementation Model Physical level ? Technical security Physical security ????

5 P Planning for IS Security Corporate plan and existence of a security vision Quality of operations Security policy as it relates to the operations Existence of a security evaluation method E Evaluation of IS Security Security evaluation linked to nature of organization (networked, hierarchical, power distance etc) Security measures contextualized for a particular situation (typically Checklist, RA …) Stakeholder analysis for security D Design considerations for IS security Interpreting the design ideal Correctness in system specification Integrity of controls (F/I/T) I Implementation aspects of IS security ‘Informal’ considerations before formal Situation issue centered approach in implementation Communication between ‘experts’ and managers

6 EagleI SunriseH BoydG SamsHR PEDIPEDI Business processes not designed – questions About integrity of data & responsibility of people No stakeholder analysis done resulting in limited understanding of authority structures and therefore confidentiality Security was not even considered to be an issue. Correctness of design and and consequences of errors ignored or overlooked Analysis of communication patterns ignored. Over generalized assumptions of implementation were considered Technological fix sought. No one considered the process aspects. Lack of integrity of organization structures In built security mechanisms in the s/w were considered sufficient Checklist followed in evaluating controls No analysis or design undertaken Security was an afterthought at best Lack of communication among staff Low trust levels since authority structures not defined Broken processes. Security implications of client server apps not considered. Members of co. did not even know if a security policy existed Not even conventional security evaluation done – RA, checklists. Authority structures ill defined. Traditional trust bet. dept. being broken Not much. Needs assessment was limited. It was thought that C/S was a mature technology so no need to consider process/user issues It was more of a technical implementation and consultants were given the charge. Access rights determined but no corresponding resp st. Competence to handle secure personal information questionable Inadequate training Conflicting purpose of the IT system. Lack of understanding of procedures and related security policy. Policy ill defined HR systems not considered ‘strategic’ hence lack of evaluation. Security is a major concern elsewhere in the co Since it was just a s/w – design issues were not considered to be important “People will learn”

7 Confidentiality of data Integrity of data Availability of data Responsibility of people Integrity of roles Trustworthiness of people ‘Ethicality’ of people ‘Surface structural’ IS security issues ‘Deep structural’ IS security issues IS Security in Organizations

8 IS Security in organizations = CIA + RITE My original argument: To resolve the problem of managing IS security, we need to understand the deep-seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.

9 What competencies do you need to manage IS security?

10 Competence categories IS Security Organizational PersonalTechnological

11 Organizational Competencies Create Adequate Business Processes Clearly Define Roles Recognize the Importance and Scope of IS Security Concerns Identify Internal Threats to IS Security Develop IS security Processes Implement IS security Policies Maintain Policy Flexibility Regulate the Flow of Information Communicate the Necessity for IS Security Procedures Facilitate Informal Communication About IS Security Monitor Adequately The Competency to:

12 Personal Competencies Lead and Influence Others Awareness Continuing Personal Development Work in Teams Maintain Ethical Behaviors and Engender Loyalty Maintain Good Hiring Practices The Competency to:

13 Technological Competencies The Competency to Sustain Technical Expertise The Competency to Synthesize Technical and Business Knowledge The Competency to:

14 CIA Confidentiality Integrity Availability RITE Reliability Integrity Trust Ethicality COMPETENCIES Organizational Personal Technological PRINCIPLES

Download ppt "Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU"

Similar presentations

Ministry of Public Sector Development Public Sector Development Program 2005-2009 Better Government Delivering Better Result.

Ministry of Public Sector Development Public Sector Development Program Better Government Delivering Better Result.
Management, Leadership, & Internal Organization………..

Management, Leadership, & Internal Organization………..
The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.

The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
Chapter 13: Organizational Innovation and Change

Chapter 13: Organizational Innovation and Change
Competencies Are King… Improving organizational and staff performance

Competencies Are King… Improving organizational and staff performance
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.

ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Strategic Leadership: Creating a Learning Organization and an Ethical Organization Chapter Eleven Copyright © 2010 by The McGraw-Hill Companies, Inc. All.

Strategic Leadership: Creating a Learning Organization and an Ethical Organization Chapter Eleven Copyright © 2010 by The McGraw-Hill Companies, Inc. All.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Purpose of the Standards

Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information

ISA 220 – Quality Control for Audits of Historical Financial Information
TC176/IAF ISO 9001:2000 Auditing Practices Group.

TC176/IAF ISO 9001:2000 Auditing Practices Group.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.

Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU

The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU
ACADEMIC PERFORMANCE AUDIT

ACADEMIC PERFORMANCE AUDIT

Similar presentations

Ads by Google