From the previous discussion, it should be apparent that the security of the technical infrastructure is a function of the effectiveness of formal and informal organizational arrangements. Exclusive reliance on technical controls will not be enough to create a secure environment. Traditionally organizations have been conceived as purposeful systems, where security has not been considered part of the ‘useful system’ designed for the purposeful activities (Longley 1991). Actually, IS security management has always been considered as an activity that aims to warranty that the useful activities of an organization will continue to be performed and harmful incidents avoided. However, IS security management should be perceived as a key enabler in the smooth running of the business processes of an organization (Dhillon 1997), by the development of security visions, strategies, and cultures.
Of course from a holistic point of view, besides focusing on formalized rule structures and establishing an adequate understanding of behavioral practices, an organization also needs to develop and implement appropriate technical controls. These are vital measures,e specially concerning who accesses the technicasl ystems and what they are allowed to do once admitted. Two fundamental principles should be considered for adequately managing the technical aspects of information systems security. These follow.
Principle 5: In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.
Many organizations focus on formulating security strategies, policies and procedures, and then hope their implementation will make them more secure. Although strategies, policies and procedures are important components of the organizational security effort, an exclusive emphasis on this top-down stepwise effort may be counterproductive. There are two main reasons for this argument.
First, there is the possibility that an exercise of rationally planned strategy may not necessarily consider the context where that strategy is being formulated and will be implemented. Several studies have provided supported for the multi-faceted nature of formulating strategy, where intended strategies interact with emergent strategies, and where formulation and implementation co-exist and do not always follow each other in the expected order (Mintzberg 1994).
Second, the fast changing pace of information technologies and the dynamic nature of businesses raises considerable obstacles to the formulation of grandiose strategies and waiting for them to play out. In the past, where a hierarchy was the dominant organizational structure and stability was the norm, it made sense to formulate strategies and policies and then proceed with their implementation, allowing the time for organizations to adapt to them. Back then, a rationally planned approach for information security formulation and implementation could have sufficed. Nowadays, with the emergence of new technologies, constant innovation and transformed structure and business processes, context is a determining factor for maintaining organizational integrity of networked and virtual enterprises.
Principle 6: Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.
Confidentiality, integrity, and availability are key attributes of information systems security. From a technical perspective, security can only be achieved if these three aspects have been clearly understood. One key ingredient in the design of technical controls is to apply formal models of security. Examples of these models are the Bell La Padula and Denning’s Models for confidentiality of access control; and Rushby’s Separation Model and Biba’s Model for integrity. Any formal model is an abstraction of reality and its adequacy and preciseness are crucial for determining model’s usefulness.
To a large extent, the previously mentioned models have proved valid and complete. However, their validity exists not because of their mathematical correction, but because the reality they are mapping is well defined, namely the military organization. To a large extent, the military environment is characterized by a culture of trust among its members and a system of clear roles, lines of authority and responsibilities. As far as the organization works according to the stated security policy, the models successfully adhere to reality. However, the transferability of these formal models to a different reality, particularly the commercial one, calls in question the maintenance of their completeness and validity.
The first shortcoming is that organizational reality is not the same for all enterprises. Therefore, the stated security policy for one organization, might be radically different from that of the other because of environmental differences. Second, a model conceived for information security within a military organization may not necessarily be valid and applicable for a commercial enterprise. Consequently, any attempt to use models based on the military’ situation may prove inadequate in a commercial setting, together with the possibility of such application generating a false sense of security. The way forward for achieving confidentiality, integrity, and availability is to create newer models for particular aspects of the business for which information security needs to be designed. This requires the development of micro-strategies for unit or functional levels.
- 1989 reads
