Corporate information security management.

To ensure business continuity the security of corporate information is extremely important. Previous studies have shown that corporate information is vulnerable to security attacks. Companies are losing money through security breaches. This paper describes an MSc project that aimed to investigate the issues surrounding corporate information security management. Postal questionnaires and telephone interviews were used. Findings indicate that companies are not proactively tackling information security management and thus are not prepared for security incidents when they occur. Reasons for this lack of action include: awareness of information security threats is restricted; management and awareness of information security is concentrated around the IT department; electronic information is viewed as an intangible business asset; potential security risks of Internet access have not been fully assessed; and surveyed companies have not yet encountered security problems, and therefore are unprepared to invest in security measures. The recommendations include that companies: carry out a formal risk analysis; move information security management from being an IT-centric function; and alter perceptions towards electronic information so that information is viewed as a valuable corporate asset

Novosti, ki jih prinašajo spremembe standarda BS 7799

In the paper, the information security standard BS 7799 is described. A short history of the standard is presented. Benefits of standard implementation into an organization are highlighted. Modifications in the latest versions of the standard (BS ISO/IEC 17799:2005 and BS ISO/IEC 27001:2005) are described in detail. The authors also discuss possible impact of these modifications on the organizations that have developed their information security management systems (ISMS) on the basis of the previous versions of the standard. Besides, the article describes what the organizations can expect in the field of the information security standardization in the near future. Keywords: information security, BS 7799 standard, new edition, modifications, impact on the organizations, future of the standardČlanek opisuje lastnosti standarda za informacijsko varnost BS 7799 in navaja koristi njegove uvedbe v organizacijo. Podana je kratka zgodovina standarda. Podrobno so opredeljene spremembe, ki jih prinašata najnovejši izdaji standarda, in sicer BS ISO/IEC 17799:2005 in BS ISO/IEC 27001:2005. Avtorici obravnavata možne vplive teh sprememb na organizacije, ki so svoje sisteme za upravljanje informacijske varnosti (SUIV) oblikovale na osnovi prejšnjih verzij standarda BS 7799. Opisano je tudi, katere standarde s področja zagotavljanja informacijske varnosti lahko organizacije pričakujejo v naslednjih letih. Ključne besede: informacijska varnost, standard BS 7799, nova izdaja, spremembe, vpliv na organizacije, prihodnost standard

BS7799: A Suitable Model for Information Security Management

The world is changing rapidly as technology marches forward and the modern business world expands to take advantage of the new technology. Security is seen as fundamental to rapid changing E-business. To satisfy the urgent need for security on the Internet, organisations need to face these challenges and need a suitable management model for information security management. This paper presents the current foundation of information security standard and analyses the framework of BS7799 British information security model. It describes the basic properties of the important security management processes: security policy, security standards, access control, security architecture. It provides an opportunity for security manager to gain security management knowledge and recognise the important procedures and mechanisms to improve the process of information security management

Information Security Guidelines for Healthcare Institutions

In recent years, the form of medical records already slowly changed from paper form to electronic form. The new information science and technology makes the transmission of information easier and convenient. On the other hand, the exposedness of individual privacy and information secret would be too difficult to keep and the use of new science and technology has increased the risk of information leakiness. The information security problem appears slowly in the electronic medical record. People that are indiscreet and negligent could cause improper damage to the information management. For this reason, the security guidelines could help healthcare institutions to improve insider and outsider security problem. The security guidelines should refer to BS7799 and HIPAA that we would take many advantages. Finally, we must estimate the benefit from purchase, integration, management, operations, maintenance, time lost, clumsy interfaces and procedures etc. These may spend a lot memory and time, so we should evaluate the cost and risk of BS7799 and HIPAA in each item; it could help us to guide how to select low cost, low risk and high benefits standard item to create the security guidelines

The development of a technique to establish the security requirements of an organization

To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets

Development strategies of the Information Security Management Systems (ISMS) standards for organizations

BS7799 is the British standard.BS7799 comes in two parts ISO/IEC 17799:2000 (part 1) and BS7799- 2002 (part 2) that provides guidelines for safeguarding an organizations asset.It is the intention of both standards to be a reference point from which information security management can be effectively and securely implemented.Assuring the confidentiality, integrity and availability of all information assets continue to be paramount during all phases of implementation.As the Internet community drives business further we are finding that it is network security, and in particular, Internet security, which is at the forefront of business network management and data integrity assurance, practices.The trust of Internet user(s) especially for e-commerce and online businesses relies on a strong security mechanism (e.g. digital certificate) offered by service providers. On the other hand a serious security commitment is required from higher management to the system administrator to endorse best method practices, defined in ISO 17799 / BS 7799 charter. It is at “ground zero” where the information security battle will be fought,with both ISO17799 and BS7799 providing the frameworks for designing and implementing a secure strategy created specifically to protect every facet of the business and user environment

INFORMATION SYSTEM SECURITY THREATS CLASSIFICATIONS

Information systems are exposed to different types of security risks. Theconsequences of information systems security (ISS) breaches can vary from e.g. damaging the data base integrity to physical "destruction" of entire information system facilities, and can result with minor disruptions in less important segments of information systems, or with significant interruptions in information systems functionality. The sources of security risks are different, and can origin from inside or outside of information system facility, and can be intentional or unintentional. The precise calculation of loses caused by such incidents is often not possible because a number of small scale ISS incidents are never detected, or detected with a significant time delay, a part of incidents are interpreted as an accidental mistakes, and all that results with an underestimation of ISS risks. This paper addresses the different types and criteria of information system security risks (threats) classification and gives an overview of most common classifications used in literature and in practice. We define a common set of criteria that can be used for information system security threats classification, which will enable the comparison and evaluation of different security threats from different security threats classifications

An Exploratory Study of the Relationship among the High-level Management’s Security Awareness, Organizational Information Security Activities, and the Execution Level of Organizational Information Security

As the issue of information security becomes increasingly important, high-level management security awareness on operation of organizational information security activities is a significant factor in success. Hence, the aim of this research is to explore how the organizational information security activities are being influenced by high-level management security awareness, and to use information security standard BS7799 to evaluate the execution phase of organizational information security. Combining literature research, case study and the main security codes of BS7799, this paper proposes a conceptual model of high-level management security awareness, organizational information security activities and organizational information security standard in relation to each other. In our conclusion, we discovered that the higher the high-level management security awareness cognizance about industry risks, the implementation of security measures and the threats to organizational security not only facilitate the four information security activities of deterrence, prevention, detection and recovery, they also enhance the standard of organizational information security. In practice, the conclusion of this paper hopes to remind high-level management to be aware of the threats of human factors and also to strengthen risk evaluation and deterrence activity

A Reclassification of IS Security Analysis Approaches

The role of security management in the development and operation of information systems has a long tradition of research in computer science, information systems and management science. Integrating the economic, organizational, and technical aspects of information systems security analysis and assessment requires a bridging of these different research streams. We examined major articles published concerning IS security using a new classification scheme for IS security analysis and assessment approaches. We looked at approaches discussed in recent publications as well those examined as in past articles that have attempted to classify various approaches to IS security. This paper therefore organizes a diverse collection of literature into a cohesive whole with the aim of providing IS management with an overview of current security analysis approaches, thereby offering management an effective aide for selecting the methods best suited to their needs. Furthermore, this work structures IS security research into a classification scheme that can also be used in future research and practice

Risk management in CRM security management

In an increasing competitive world, marketing survival can be depended simply on timely new information on customers and market trend. One of the most important strategies in CRM (Customer Relationship Management) is to capture enough information from customers and using this information carefully [Ryals , Tinsley]. Of course security of this information is very important in CRM data management [Bryan]. Data management is a method for scheduling and controlling data saving, recovering and processing. This activity has been done continually or periodically[Bryan]. Security level of this information depends on the security policy of the organization. CRM security policy is the directives and practices for managing, protecting and distributing assets which are included sensitive information, within an organization and its CRM systems[ISO/IEC TR 13335, ISO/IEC 17799, and BS7799]. CRM security policy is a high level plan that focuses on the strategic security methodology and is not limited to the guideline, standard or control way and plays a critical role in the defense of CRM systems and network [Barman, M.Amanda]. CRM risk evaluation is a method for increasing the efficiency of CRM security policy. In the manner that security threats and vulnerabilities against CRM is identified by its priority [Greenstein, Bryan, and ISO/IEC TR 13335]. First of all in this article, the importance of risk management in CRM is found out and then the suggested method of security risk management is introduced