1 / 14

Understanding the management of IS security

Understanding the management of IS security. GP Dhillon, Ph. D. Associate Professor of IS, VCU gdhillon@vcu.edu. Cases and vignette s. The chip theft case Purchasing manager with access to data entry and store accounting systems Would steal chips and smuggle them out of factory premises

marla
Download Presentation

Understanding the management of IS security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU gdhillon@vcu.edu

  2. Cases and vignettes • The chip theft case • Purchasing manager with access to data entry and store accounting systems • Would steal chips and smuggle them out of factory premises • Management response was to establish access control and physically search everybody leaving premises • Boyd Gaming • Sunrise Hospital • Eagle Star Insurance • Other published cases: Kidder Peabody; Daiwa Bank; Barings Bank

  3. A point to note • “Perpetrators usually stick to the easiest and the least expensive methods to breach security” – Donn Parker (various: 1989-1998)

  4. ???? Model of reality Conceptual level ? Technological Model Technology level Technical security Implementation Model Physical level Physical security Three architectures and beyond

  5. P Planning for IS Security Corporate plan and existence of a security vision Quality of operations Security policy as it relates to the operations Existence of a security evaluation method E Evaluation of IS Security Security evaluation linked to nature of organization (networked, hierarchical, power distance etc) Security measures contextualized for a particular situation (typically Checklist, RA …) Stakeholder analysis for security Design considerations for IS security Interpreting the design ideal Correctness in system specification Integrity of controls (F/I/T) Implementation aspects of IS security ‘Informal’ considerations before formal Situation issue centered approach in implementation Communication between ‘experts’ and managers D I

  6. EagleI SunriseH BoydG SamsHR Broken processes. Security implications of client server apps not considered. Members of co. did not even know if a security policy existed Business processes not designed – questions About integrity of data & responsibility of people Technological fix sought. No one considered the process aspects. Lack of integrity of organization structures Conflicting purpose of the IT system. Lack of understanding of procedures and related security policy. Policy ill defined Not even conventional security evaluation done – RA, checklists. Authority structures ill defined. Traditional trust bet. dept. being broken No stakeholder analysis done resulting in limited understanding of authority structures and therefore confidentiality In built security mechanisms in the s/w were considered sufficient Checklist followed in evaluating controls HR systems not considered ‘strategic’ hence lack of evaluation. Security is a major concern elsewhere in the co Not much. Needs assessment was limited. It was thought that C/S was a mature technology so no need to consider process/user issues Security was not even considered to be an issue. Correctness of design and and consequences of errors ignored or overlooked No analysis or design undertaken Security was an afterthought at best Since it was just a s/w – design issues were not considered to be important “People will learn” It was more of a technical implementation and consultants were given the charge. Access rights determined but no corresponding resp st. Analysis of communication patterns ignored. Over generalized assumptions of implementation were considered Lack of communication among staff Low trust levels since authority structures not defined Competence to handle secure personal information questionable Inadequate training P E D I

  7. Confidentiality of data Integrity of data ‘Surface structural’ IS security issues Availability of data IS Security in Organizations Responsibility of people ‘Deep structural’ IS security issues Integrity of roles Trustworthiness of people ‘Ethicality’ of people

  8. IS Security in organizations = CIA + RITE My original argument: To resolve the problem of managing IS security, we need to understand the deep-seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.

  9. What competencies do you need to manage IS security?

  10. Organizational IS Security Personal Technological Competence categories

  11. Organizational Competencies The Competency to: • Create Adequate Business Processes • Clearly Define Roles • Recognize the Importance and Scope of IS Security Concerns • Identify Internal Threats to IS Security • Develop IS security Processes • Implement IS security Policies • Maintain Policy Flexibility • Regulate the Flow of Information • Communicate the Necessity for IS Security Procedures • Facilitate Informal Communication About IS Security • Monitor Adequately

  12. Personal Competencies The Competency to: • Lead and Influence Others Awareness • Continuing Personal Development • Work in Teams • Maintain Ethical Behaviors and Engender Loyalty • Maintain Good Hiring Practices

  13. Technological Competencies The Competency to: • The Competency to Sustain Technical Expertise • The Competency to Synthesize Technical and Business Knowledge

  14. Organizational Personal Technological CIA • Confidentiality • Integrity • Availability RITE • Reliability • Integrity • Trust • Ethicality PRINCIPLES COMPETENCIES

More Related