IS Security Policies and Strategies Dr Gurpreet Dhillon Virginia Commonwealth University

Understanding security risks IT enabled improvement Business change Benefits Management Risk Management Positive outcomes Negative outcomes Business improvement needed

The systems lifecycle Plan Design Implement Evaluate evaluate

Planning for IS security Plan Design Implement Evaluate 1.A well conceived corporate plan establishes a basis for developing a security vision 2.A secure organization lays emphasis on the quality of its operations 3.A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document 4.Information systems security planning is of significance if there is a concurrent security evaluation procedure

Planning for IS security

IS security planning process

Designing IS security Plan Design Implement Evaluate 1.The adherence to a specific security design ideal determines the overall security of a system 2.Good security design will lay more emphasis on ‘correctness’ during system specification 3.A secure design should not impose any particular controls, but choose appropriate ones based on the real setting

Implementing IS security Plan Design Implement Evaluate 1.Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal 2.Implementation of security measures should take a ‘situational issue-centered’ approach 3.To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers

Evaluating IS security Plan Design Implement Evaluate 1.Security evaluation can only be carried out if the nature of an organization is understood 2.The level of security cannot be quantified and measured; it can only be interpreted 3.Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out

Risks in Systems Life Cylce Outcome risks Operational risks Process risks

Risk management: classification Inherent risks Planning needed Can be assessed and predicted Strategic High Potential Key Operational Support Outcome: high Operational: low Process: low What risk? Outcome: low Operational: high Process: medium Outcome: low Operational: low Process: high

Typical concerns StrategicHigh Potential Outcome risks Opportunity & financial risks? Lack of strategic framework: poor business understanding Conflicts of strategy and problems of coordination IT supplier problems Poor management of change Senior management not involved Large and complex projects; too many stakeholders Rigid methodology and strict budgetary controls Key Operational Support Operational risks Process based risks Too much faith in the ‘technical fix’ Use of technology for its novelty value Poor technical skills in the development team Inexperienced staff Large and complex projects; too many stakeholders Poor testing procedures Poor implementation Lack of technical standards

Risk management: core strategies StrategicHigh Potential Key OperationalSupport CONFIGURE COMMUNICATE CONTROL CONSTRAIN

Risk management: directions - 1 StrategicHigh Potential Business and corporate risks Opportunity & financial risks Key OperationalSupport Operational risks Process based risks Controllable Uncontrollable Predictable Unpredictable No problem - carry out plans Practice quick response to manage as events unfold Emphasis forecasting and thus “steer around” these events Develop a contingency planning system

Risk management: directions -2 StrategicHigh Potential Business and corporate risks Key OperationalSupport Operational risks Process based risks History Context (external) Context (internal) Business processes Content Risk Outcomes Context oriented risk assessment Opportunity & financial risks

Security management: the way forward StrategicHigh Potential Outcome risks Opportunity & financial risks? Key Operational Support Operational risks Process based risks The organizational context