eBook - ePub
Information Security
Policy, Processes, and Practices
- 288 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Information Security
Policy, Processes, and Practices
About this book
Information security is everyone's concern. The way we live is underwritten by information system infrastructures, most notably the Internet. The functioning of our business organizations, the management of our supply chains, and the operation of our governments depend on the secure flow of information. In an organizational environment information security is a never-ending process of protecting information and the systems that produce it.This volume in the "Advances in Management Information Systems" series covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. The book covers how to strategize and implement security with a special focus on emerging technologies. It highlights the wealth of security technologies, and also indicates that the problem is not a lack of technology but rather its intelligent application.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere â even offline. Perfect for commutes or when youâre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Information Security by Seymour Goodman,Detmar W. Straub,Richard Baskerville in PDF and/or ePUB format, as well as other popular books in Economics & Econometrics. We have over one million books available in our catalogue for you to explore.
Information
PART I
THE TERRAIN OF INFORMATION SECURITY
CHAPTER 1
FRAMING THE INFORMATION SECURITY PROCESS IN MODERN SOCIETY
Abstract: Describing the layout of the entire volume, this chapter explains how its parts emerged from an organic conception of organizations struggling to determine what their information security needs were and how to create viable security policies. Organizational issues exist within the context of both national and international developments in InfoSec and the final part deals with these critical arenas. Technological trends will dictate responses to the possibilities of security violations, and there are clear directions for such circumstances in the case of ubiquitous computing. The final chapter summarizes and reformulates the new directions that researchers should take in InfoSec.
Keywords: Information Security Processes, Policies, Practices, Guidelines, Technical Versus Managerial InfoSec Research, Key Research Questions, Future Research Directions, Landscape of Information Security
The volume covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. It covers how to strategize and implement security, with a special focus late in the volume on emerging technologies.
It shows wherein lie our strengths. It also shows where there are weaknesses. It points out our wealth of security technologies, particularly since the dawn of the Internet and 9/11. It likewise indicates as clearly as possible that the likely problem today is not the lack of technology, but its intelligent application. The management of information security is in its infancy, whereas the development of security technologies has reached a much more advanced state of maturity.
In attempting to cover the terrain of a broad subject that already has had a long history (however checkered), it is inevitable that much will be left out. So the subject matter selected for this volume calls for a rationale since there must be reasons why some topics were chosen and others were not, and the tale of the choosing says something about what should be valued most highly.
Before engaging in this exercise, though, it is useful to define and elaborate the term âinformation securityâ (InfoSec). The term âinformationâ receives the initial stress since we feel strongly that the rendering of data into meaningful statements and comparisons, which we take to be information, has received light attention in both the academic and trade presses. Most of the work on security has been at the technological level, the level of protecting data bits and bytes from unauthorized interception and misuse while little work has focused on protecting these binary digits once they have been manipulated, formatted, and stored for managerial use. There are volumes of work on encryption algorithms and how to make these unbreakable, for example.1 Hence the prevalence of terms in this technical literature on technologies described under rubrics like âdata/database security,â âcomputer security,â âcyber/Internet security,â and ânetwork security.â
In short, information is a managerial and organizational tool, and the protection of information from the managersâ (and organizationsâ) point of view has not been subject to the same intense scrutiny as have security technologies. Not only are the policies that protect this information much less frequently discussed, but the processes that lead to effective policies are even less favored by scientists and practitioners. Broad social issues, such as international laws, standards, and agreements that affect security of information, are part of a wide range of environmental issues that also receive scant attention. There are numerous technical working papers dealing with such matters, but assessments of this scattered work have not been forthcoming. Many of these papers have direct organizational impacts, but even those with indirect effects bear watching and understanding.
Focusing on organizational needs, therefore, is the first way in which we scoped the topics covered. What we know at this time and where research should be moving in the future to address lightly examined areas represent the basic goals of the volume.
The term âsecurityâ cries out for some definition as well. By security, we most often mean the protection of assets from unauthorized use, but the term is often extended to cover situations where mechanisms to protect assets are similar whether the damage that is inflicted comes from either a malicious, accidental, or a natural source. Organizations need to protect themselves from information losses whether these are caused by a terrorist or a tornado. Either will physically wipe out a firmâs data center. The recovery procedures are only distinctive in terms of whether insurance or criminal investigations require a forensic analysis. In both cases, there would be loss of life of mission-critical employees as well as loss of information and the ability to produce information. As tragic as such events are, it would be a further loss if stakeholders who depend on the firmâemployees and their families, shareholders, suppliers, customers, and the surrounding communitiesâwere to continue to suffer from organizational unpreparedness.
Thus security as we define it includes business continuity planning, especially regarding information. Malicious elements need to be considered in scenarios in this planning effort, but equal attention must be placed on accidental and natural causes.
PARTS AND CHAPTERS
The perspective taken in this book is at an organizational level. Whether governmental, commercial, not-for-profit, or other, decision makers in organizations confront the need to specify organizational policies, define organizational processes, and manage organizational practices that assure the organizationâs information security. Table 1.1 lists an inventory of the various influences that drive these decisions.
Perhaps at the most global level are the regulations that emerge from non-governmental organizations. These include the recommended standards and practices of professional organizations (such as the Information Systems Audit and Control Association, which promotes an InfoSec framework called COBIT), industry standards and practices (such as the MasterCard and Visa collaboration that mandated a payment card industry data security framework), standards set by international agencies such as the International Standards Organization, and international agreements on issues such as personal data privacy through agencies like OECD and the UN.
Governments, aside from being organizations that must set their own internal policies, processes, and practices, are organizations that drive laws and regulations requiring conformity within their territorial borders. These laws and regulations define computer crimes, including insufficient protection of private personal data and insufficient transparency of information necessary for informed public decisions about organizations (such as disclosure of investment risks). With their mandate for national security, governments may regulate advanced information technologies with military applications (such as cryptography) and set national policies to establish sufficient information security in key industry groups like finance, transportation, and energy. Such government regulation drives processes, policies, and practices in a very widespread range of commercial and private organizations (the effects of which may even be extraterritorial). Even the setting of internal government organizational processes, policies, and practices may have a widespread effect, as these may drive conforming requirements of government contracting organizations, or become regarded as emblematic standards of âdue careâ in InfoSec.
Table 1.1
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Non-governmental regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Organization |
| Economics of security |
| Costs and benefits |
| FunctionalityâSecurity tension (guns or butter) |
| Ethics of security |
| Mandated or optional (due care) |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious circle |
There are also internal drivers that determine organizational policies, processes, and practices. For example, improvements to organizational InfoSec usually require resources; an investment in InfoSec is therefore an economic decision. Costs and benefits are managed through risk analysis, and like any investment decision, improvements in InfoSec move forward under the shadow of their opportunity costs. Should the organization invest in improved information systems performance or instead invest in improved security for its existing systems? The âguns or butterâ nature of the decision often pits systems performance advances against systems security advances. These conflicting goals bring forward the ethical dimensions of decisions about organizational InfoSec policies, processes, and practices. Where InfoSec features are mandated by regulations, the ethical aspects are clear. But in organizational systems where InfoSec is not required by regulation, organizations are left to follow their own ethical lights: instituting InfoSec policies, processes, and practices because these represent the measure of due care that a wide range of stakeholders would regard as responsible management of information.
Information technology is itself a driver of InfoSec management processes. Not only do newer technologies bring challenging new problems for security, but security for existing technologies is a vicious circle of technical developments. New InfoSec technologies lead adversaries to develop new techniques to defeat the new security technologies, forcing the need for even newer and even better InfoSec technologies. This is a constant race for effective technical solutions in areas like computer security, network security, and cryptology.
Table 1.2
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Part I. The Terrain of Information Security |
| Part II. Security Processes for Organizational Information Systems |
| Organization |
| Economics of security |
| Costs and benefits |
| FunctionalityâSecurity tension (guns or butter) |
| Ethics of Security |
| Mandated or optional (due care) |
| Part III. Processes for Securing the Extra-Organizational Setting |
| Non-Government Regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government Regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Part IV. Forces and Research Leading to Future Information Security Processes |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious Circle |
Indeed, the vicious circle involves more than just technology. The causal directions of the entire set of drivers are not straightforward. Various InfoSec events, like compromises and massive losses, occur within their contemporary frameworks, including the drivers noted in Table 1.1 and the various organizational InfoSec policies, processes, and practices. Such events lead to revisions in regulations and organizational values, as well as technologies. As a result, these drivers also set the stage for their own revisions, a form of self-remaking or autopoisis.
How does the work at hand fit into this landscape? We can ...
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Table of Contents
- Series Editorâs Introduction
- Part I. The Terrain of Information Security
- Part II. Security Processes for Organizational Information Systems
- Part III. Processes for Securing the Extra-Organizational Setting
- Part IV. Forces and Research Leading to Future Information Security Processes
- Editors and Contributors
- Series Editor
- Index