Organizational theorists have suggested that the formalization of organizational tasks through division of labor and coordination of efforts is an answer to the increased complexity within organizations (Mintzberg 1983). With the advent of computerization, technology has been used to automate many of the formal activities. This process involves deciding which aspects should be automated and which should be left alone (Liebenau and Backhouse 1990). Therefore, it is relevant to understand the nature and scope of formal rule based systems and the interrelationships between those systems and the design of information security in an organization. The following two principles should be considered when instituting IS security formal controls.
Principle 3: Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.
The establishment of formalized rules is one step that could assist in managing IS security. An example of such formalized rules are the security policies that assist in clarifying bureaucratic functions in order to minimize ambiguities and conflicting interpretations within organizations. The definition of security controls at the formal level of an organization should however take into consideration that the possibility of over-formalization. Management’s inability to balance the rule and norm based aspects of work are a source of security problems. In order to prevent the misinterpretation of data and the misapplication of rules, formal rules and procedures need to be in place, and applied with other existing controls and their contexts. If formal rules are primarily designed as isolated and disconnected solutions for specific problems, they will have dysfunctional effects.
Although security policies are perceived as essential for expressing rules of conduct, the success of their application is a function of their integration with the organization’s strategic vision. If, as in the past, enterprises keep formulating security policies based on checklists, following a rationale of identifying specific security responses to specific conditions, they will not be able to draw a line between formal rule based systems and pragmatic responses.
To design a well-balanced set of controls in a highly integral business environment, information security management needs to be on top management’s agenda. Only then it will be possible to shift attention to the creation of a security vision and strategy where appropriate consideration is given to the threats and vulnerabilities of the business process architecture and of the technological infrastructure. When this state is reached, security considerations will acquire a strategic nature and will demand attention in order to serve as a business enabler, namely by maintaining the consistency and coherence of organizational operations. In this framework, security policies will tend to assume the role of functional strategies.
Principle 4: Rules for managing information security have little relevance unless they are contextualized.
An implication from the previous principle is that exclusive reliance on either the rules or norms will not provide enough protection for IS assets. If rules for managing information security are applied without due appreciation of context, the outcomes may be detrimental to the security of the company. Only by conducting a thorough security evaluation will the organization be able to design an integrated set of technical, formal, and informal controls. This evaluation will review the current security controls, taking into consideration the context in which each of the projected controls will be implemented and ponder on how different controls should be integrated.
The context dependence of security controls application may be appreciated by considering two formal controls, namely security policies and structures of responsibility and authority. The formulation of a security policy should result from the application of sound business judgment to the value ascribed to the data and the risks associated with its acquisition, storage, recovery, management, manipulation, communication, and interpretation. Because each organization is different, the content and form of a security policy is case specific, and it is difficult to draw any generalization. This suggests that a situational centered approach should be preferred when managing IS security controls.
The second illustrative control: structures of responsibility and authority (Backhouse and Dhillon 1996). The adoption of appropriate structures is an important step in establishing good management practices and to assist in the prevention of computer crime and of communication breakdowns within organizations. The concept of structures of responsibility and authority provides an effective means to identify the responsible agents in the formal and informal organizational environments and to determine what behaviors those agents perform. By facilitating the understanding of the ranges of conduct open to responsible agents, the influences they are subjected to, the manner in which they make sense of the occurrence of events and the communications in which they participate, structures of responsibility and authority create a means to manage the formal aspects of IS security.
In order to benefit from the application of such framework, an organization needs to go beyond the sole concern of specifying an appropriate organizational structure, since this attitude usually results in a skewed emphasis towards formal specification. The most important step to solve the problems when establishing structures of responsibility and authority is the capacity to understand the underlying patterns of behavior of organizational members. The goal of developing and designing secure environments will only be successful if the context that shapes those attributes is taken into account.
- 瀏覽次數:1784
