Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.elsevier.com/locate/cose
a
RAU-Standard Bank Academy for Information Technology, Rand Afrikaans University,
Johannesburg, South Africa
b
Faculty for Computer Studies, PE Technikon, Port Elizabeth, South Africa
KEYWORDS Abstract This paper identifies 10 essential aspects, which, if not taken into
Information security; account in an information security governance plan, will surely cause the plan to
Information security fail, or at least, cause serious flaws in the plan. These 10 aspects can be used as
management; a checklist by management to ensure that a comprehensive plan has been defined
Information security and introduced.
governance; ª 2004 Elsevier Ltd. All rights reserved.
Information security
policy;
Information security
risk analysis;
Information security
compliance
0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2004.05.002
372 B. von Solms, R. von Solms
presence/absence of these aspects from their Other papers emphasizing this integration of in-
information security plan. formation security with corporate governance have
also appeared, for example (von Solms, 2001).
These documents have been supported by
a growing set of laws and legal requirements which
The 10 deadly sins of information have appeared internationally, specifically related
security to the privacy of customer, client and patient
data. Some examples of such laws and legal re-
These sins are introduced below, and discussed quirements are the ECT Act in SA (ECT) and the
individually in the subsequent paragraphs. HIPAA Act (HIPAA) in the USA.
The implication of these developments are that
1. Not realizing that information security is
the Board of Directors as well as top management,
a corporate governance responsibility (the
have a direct corporate governance responsibility
buck stops right at the top)
towards ensuring that all the information assets
2. Not realizing that information security is a
of the company are secure, and that due care
business issue and not a technical issue
and due diligence have been taken to maintain
3. Not realizing the fact that information security
such security. Compromised company informa-
governance is a multi-dimensional discipline
tion assets can have serious financial and legal
(information security governance is a complex
implications for a company, and executive man-
issue, and there is no silver bullet or single ‘off
agement can be held personally liable in some
the shelf’ solution)
cases.
4. Not realizing that an information security plan
Further, it is responsibility of executive man-
must be based on identified risks
agement to extensively report on the protection
5. Not realizing (and leveraging) the important
of information assets to the Board of the company.
role of international best practices for infor-
Consequences of committing this sin: executive
mation security management
management are not performing and exercising
6. Not realizing that a corporate information
the due care and due diligence expected by
security policy is absolutely essential
them, and may open themselves up to serious
7. Not realizing that information security compli-
personal and corporate liabilities.
ance enforcement and monitoring is absolutely
essential
8. Not realizing that a proper information security Sin number 2: not realizing that the
governance structure (organization) is abso- protection of information is a business
lutely essential issue and not a technical issue
9. Not realizing the core importance of informa-
tion security awareness amongst users
This sin is closely related to the one discussed
10. Not empowering information security man-
above, but is highlighted on its own, because it
agers with the infrastructure, tools and sup-
does provide another dimension to the problem.
porting mechanisms to properly perform their
Information security related problems in a
responsibilities
company cannot be solved by technical means
alone. The sooner the management of a company
grasps this fact, the sooner they will apply due
Sin number 1: not realizing that care.
information security is a corporate Unfortunately, in many cases, executive man-
governance responsibility (the buck agement in companies still think that technology
stops right at the top, and there is all that is required, and therefore ‘delegates
are legal consequences) or downgrades’ the issue to the technical depart-
ments, and conveniently forgets about it.
The realization that information security gover- Without the proper, direct and continuous
nance is an essential and integral part of corporate support of such executive management, as well
governance has grown specifically in the last few as acting as examples of information security
years. The driving force has been several docu- consciousness and awareness, the information
ments on corporate governance which have ap- security problem will not receive due care or be
peared recently, for e.g. the King II Report in addressed satisfactorily.
South Africa (King) and ISACA’s Control Objectives Consequences of committing this sin: tech-
for Information and Related Technologies (COBIT). nology will be thrown at the information security
10 deadly sins of ISM 373
problem, without resulting in a total, comprehen- dimensions will continuously need to be added to
sive solution. This might also result in money wasted. the solution.
resulting risks, and selected countermeasures are top management of companies know that they
the same for all companies. If a large number of are proving their due care and due diligence by
companies have documented their experiences in following the advice of experts.
this area, alongside the countermeasures they Examples of leading best practices in the area of
have selected for the possible risks, why do a com- information security are ISO17799 and ISF.
prehensive risk analysis to probably arrive at the Consequences of committing this sin: unneces-
same result?drather use these documented expe- sary time and money is wasted to arrive at a solu-
riences directly. tion which had, most probably, already been
documented.
Why redo what others have done already?
Why re-invent the wheel for well-established
environments? Sin number 6: not realizing that
Learn from and apply their experience! a corporate information security
The ’bread and butter’ aspects of information policy is absolutely essential
security are the same in most IT environments.
This is precisely what ‘following a best practice’ All international best practices for information se-
means. curity management stress the fact that a proper
An international best practice (Code of Practice corporate information security policy is the heart
for Information) for information security manage- and basis of any successful information security
ment normally documents the knowledge of management plan.
a group of people (companies) as far as their expe- Such a policy is the starting point and reference
rience with information security management is framework on which all other information security
concerned. It therefore reflects the practices and sub-policies, procedures and standards must be
experiences followed by the relevant people in based.
managing information security. Such a policy must be short (3e4 pages), and
The challenge to any information security man- signed by the CEO, showing executive manage-
ager is therefore to do the right things right. The ment’s commitment and buy-in towards all infor-
question asked by many such managers is: ‘How mation security aspects. This is the most visible
do I know what the right things are?’ way in which executive management shows their
If it can be determined what the rights things commitment towards information security in the
are, how do you know you are doing it right. company.
Information security is not a new aspect of IT. Consequences of committing this sin: all in-
Many people and many companies have struggled formation security projects and efforts in the
with information security over many years. In this company will have no anchoring point and
process, they have found out what are the right proof of high-level commitment, and will be floun-
things, and how to do them right. dering around without really making progress.
They have therefore determined from experi-
ence what best practices are required and how
to implement them effectively. Sin number 7: not realizing that
This experience had been documented in a wide information security compliance
set of documents, basically referred to as Stand- enforcement and monitoring
ards and Guidelines. These documents are avail- is absolutely essential
able to new information security managers, and
should be used. It is no use having a perfect corporate informa-
They can be seen as the consensus of experts in tion security policy, with a comprehensive set
the field of information security, and generally of supporting sub-policies, conforming to inter-
provide an internationally accepted framework national best practices, if it is not possible
on which to base information security governance to monitor and enforce compliance to such
and management. policies.
Nobody needs to re-invent the ‘information se- ‘Un-enforced policies breed contempt’ is a
curity wheel’. This wheel has been developed, it slogan which should be heeded.
is documented and should be used as such. Any information security manager should be
This does not necessarily mean that if these empowered through technical and non-technical
best practices are followed strictly that no security measurement tools to be able to monitor compli-
incidents will occur. That is of course not true, but ance to relevant information security policies,
at least an information security manager, and the and act if any discrepancies appear.
10 deadly sins of ISM 375
Such monitoring and measurement tools must be spelled out clearly, and cemented into proper
also not be built and dependent on annual or bi- organizational structures.
annual internal audit reportsdnobody can any-
more afford to find out after 6 months that a fired
employee still has access rights to the system. Sin number 9: not realizing the core
Such tools must be real time and provide real time importance of information security
monitoring and reporting. awareness amongst users
‘You can only manage that which you can
measure’ is directly related to this sin.
Although this sin is so apparent it needs no discus-
Consequences of committing this sin: a false
sion, it is still committed by many companies.
sense of security may exist and be cultivated be-
No proper awareness programs exist, and users
cause ‘we have all the necessary policies in place’,
are unaware of the risks of using the company’s
without realizing that these policies may not be
IT infrastructure, and the potential damage they
complied with.
can cause.
Furthermore they are often not even aware of
the information security policies, procedures and
Sin number 8: not realizing that a proper standards existing in the company.
Users cannot be held responsible for security
information security governance structure
problems if they are not told what such security
(organization) is absolutely essential
problems are, and what they should do to prevent
them.
It is essential that a company must have a proper
In many cases it is realized that money spent on
information security organizational structure to comprehensive user information security aware-
make an information security governance plan ness programs is some of the best money spent
successful. on information security.
Such a structure has to do with the way in which Consequences of committing this sin: many in-
information security is organized and structured in formation security related intensions will fail to
a company. The importance of such structures is
materialize if users are not properly educated in
stressed by several codes of best practice for infor-
this regard.
mation security management, which all states that
the existence of a proper organizational structure,
including some type of Information Security
Forum, is essential for successful information secu-
Sin number 10: not empowering
rity implementations. This dimension not only information security managers with
refers to the organizational structure itself, but the infrastructure, tools and supporting
also to aspects like information security related mechanisms to properly perform
job responsibilities, communication between in- their responsibilities
formation security related roles and the involve-
ment of top management with information This sin is closely related to sin numbers 7 and 8
security. It also includes clarity on what aspects above, but is so important that it warrants it be
of information security management are to be cen- listed separately.
tralized, what aspects are to be decentralized as Very often, executive management appoints an
well as where the compliance monitoring and information security manager, and expects such
enforcement capability will reside (should never a person to do everything alone.
be part of the IT Department itself). This is not possible, because of the complexity
Consequences of committing this sin: every- and multi-dimensionality of information security.
thing related to and involving information security Understanding and deliberately trying to prevent
is automatically referred to the (single) informa- the sins discussed above, will go a long way in pre-
tion security manager, who really is not the owner venting this one.
of any information, just the custodian. Consequences of committing this sin: informa-
If information owners are not clearly defined, tion security managers realize soon that they can-
and held responsible for the security of the infor- not do their job properly, and either move on, or
mation under their control, severe risks do arise. move out of information security. This opens the
Accountability for information security must be company up to severe risks because no continuity
shared by all employees, and not only the informa- exists as well as the fact that the security plan
tion security manager. This accountability must never gets fully implemented.
376 B. von Solms, R. von Solms