Principles of Information System Security: Text and Cases Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

Principles of Information System Security: Text and Cases Chapter Six Security of Formal Systems in Organizations: An Introduction

Copyright 2006 John Wiley & Sons, Inc. Learning Objectives Identify the key aspects of formal information system security Explain structures of responsibility Understand organizational buy-in Explain the importance of security policies Recommend issues in good security policy formulation Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Formal IS Security Creating organizational structures and processes to ensure security and integrity Creating and sustaining proper responsibility structures Maintaining integrity of the roles Creating adequate business processes Establishing an overarching strategy and policy Copyright 2006 John Wiley & Sons, Inc.

Ten Deadly Sins of IS Security Management, Table 6.1 Copyright 2006 John Wiley & Sons, Inc.

Four Classes of Formal IS Security Security strategy and policy Responsibility and authority structures Business processes Roles and skills Copyright 2006 John Wiley & Sons, Inc.

Formal IS Security Dimensions Responsibility and authority structures Organizational buy-in Security policy Copyright 2006 John Wiley & Sons, Inc.

Responsibility and Authority Structures Determine the performance of the formal controls systems Provide a means to understand the manner in which responsible agents are identified Understand the underlying patterns of behavior Manifest the roles and reporting structures of organizational members Copyright 2006 John Wiley & Sons, Inc.

Mapping Structures of Responsibility Identify the agents who determine what takes place, and what behavior is realized Agents are associated with communication acts which serve to change the social world, which in turn constitutes the world of interrelated obligations An ontology chart represents the invariants in any domain as patterns of behavior to be realized by agents acting therein Copyright 2006 John Wiley & Sons, Inc.

A Simple Representation of Structures of Responsibility Figure 6.1 Copyright 2006 John Wiley & Sons, Inc.

Mapping Structures of Responsibility (Cont’d) Invariants on the right of the chart can only be realized when those on their left have been realized Each invariant pattern is shown as a node in the chart The analysis task is to elicit for each node the responsible agents and the norms used by the organization The chart is a useful platform to study the norms and structure of an organization Copyright 2006 John Wiley & Sons, Inc.

Mapping Structures of Responsibility (Cont’d) Sketches the generic affordances that constrain any agent in this domain Implicitly creates a place for the agents at each node who decide Who has access to a PC Which PCs have access to what data Which PCs are sited in which rooms Agents make decisions in line with prevailing norms, which should reflect the practices espoused by the firm; and the practices conform to various over arching jurisdictions Copyright 2006 John Wiley & Sons, Inc.

Using Structures of Responsibility Maps Compare responsible structure against the explicit security management structure of an enterprise Between the formal and the informal systems Lead to the substantive actions required of members of the firm It can be difficult to attribute responsibility if the norms are not strong Copyright 2006 John Wiley & Sons, Inc.

Using Structures of Responsibility Maps (Cont’d) Two security procedures are revealed when a person is given access to a PC which has access to the network The ‘start’ and ‘finish’ of an incumbency The ‘start’ and ‘finish’ of access to a PC Understand the underlying repertoires of behavior Copyright 2006 John Wiley & Sons, Inc.

Organizational Buy-in Support from an organization’s executive leadership is the most challenging task It is also a challenge to educate employees A two-fold need for executive leadership buy-in Assures staff buy-in Ensures funding Copyright 2006 John Wiley & Sons, Inc.

Organizational Buy-in (Cont’d) Support from the IT Department is also essential Consensus needs to be reached regarding the best practices to protect enterprise information assets User support is another important ingredient Copyright 2006 John Wiley & Sons, Inc.

NIST’s Seven Steps for Effective Security Training Identify Program Scope, Goals, and Objectives To all types of people who interact with IT systems Organizational wide program needs to be supplemented by more system-specific programs Identify Training Staff Knowledge and communication skills Copyright 2006 John Wiley & Sons, Inc.

NIST’s Seven Steps for Effective Security Training (Cont’d) Identify Target Audiences Presents only the information needed by the particular audience Motivate Management and Employees Show how participation will benefit the organization Administer the Program Visibility, selection of appropriate training methods, topics, materials, and presentation techniques Copyright 2006 John Wiley & Sons, Inc.

NIST’s Seven Steps for Effective Security Training (Cont’d) Maintain the Program A training program that meets an organization’s needs today may become ineffective when the organization starts to use a new application or changes its environment Evaluate the Program How much information is retained, to what extent security procedures are being followed, and general attitudes toward security Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Security Policy Numerous security problems have been attributed to the lack of a security policy Possible vulnerabilities related to security policies occurs at three levels- policy development, implementation, and reinterpretation More details in Chapter Seven Copyright 2006 John Wiley & Sons, Inc.

Good Security Policy Formulation An organization incorporates the strategic direction of the company both at a micro and macro levels Clarification of the strategic agenda sets the stage for developing the security model The security policies determine the processes and techniques required to provide the security but not the technology Copyright 2006 John Wiley & Sons, Inc.

Good Security Policy Formulation (Cont’d) The implementation of security policies entails the development of procedures to implement the techniques defined in the security policies Security processes and techniques should be monitored constantly A response policy is an integral part of a good security policy Establish procedures and practices for educating all stakeholders Copyright 2006 John Wiley & Sons, Inc.

Layers in Designing Formal IS Security, Figure 6.2 Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Concluding Remarks Good formal IS security is a function of Organizational considerations related to the structures of responsibility Ensuring organizational buy in Establishing security plans and policies and relating them to the organizational vision Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.