Achieving Business Value in Information Security

Achieving Business Value in Information Security

4.11 - 1251 ratings - Source

Inhaltsangabe:Abstract: The beginning of the 21st century with the fear of the qYear 2000q-threat (Y2K) became a milestone for the qInformation Ageq, a term coined for the post-industrial stage of leading countries [ ] when information and information technologies become the main strategic national resource which results in an avalanche growth of information dependence in all spheres of society and state activities. . In organisations the awareness of the dependence on information has led to corporate initiatives to treat information as an asset, which includes various efforts for its protection. Management trends such as qknowledge managementq have identified qknowledge sharingq as a new means for achieving competitive advantage, thus promoting information to be disseminated. Due to an ever closer relationship with customers, suppliers and even competitors, organisations have expanded their qinformation networkq outside of the original boundaries. The dualism of protection of information assets on the one hand and a free flow of information has been identified to become a challenge for organisations, described as [ ] how to satisfy this need to share information without exposing the organization to undue risk. . With the information society implying radical changes, the need to act has been accelerated by a new mindset reacting to the advent of qe-businessq. Information Security (InfoSec) is often mistaken to be a purely technical issue, handled by information system (IS) departments and used as a synonym for firewall, access controls, and encryption of e-mails. However, because of the risks involved for an organisation - including legal liabilities, loss of trust and severe financial damage - InfoSec needs to be a top management issue. Then again, although paying lip-service to treating information as an asset, top-management usually does not act upon it: the average InfoSec spending in the U.S. today is only 0.4 percent of an organisation s revenue. In the following work it will be shown that a new approach to and a new understanding of InfoSec is vital for organisations to excel in the challenges faced by the information environment of the 21st century. The key focus of this study is to link existing InfoSec approaches to the concept of business value by ensuring their strategic fit with the corporate objectives. The first part will provide a common foundation with an evaluation of the role of information for organisations, relevant trends in the corporate environment, their impact on InfoSec, and its resulting working hypothesis. This understanding will then be used to evaluate the components of an InfoSec framework and current approaches to InfoSec. Building on the key aspects of InfoSec pointed out in the first part, the second part introduces a model based on business value as a means to enable an organisation s co-ordinated transformation towards integrated InfoSec management. Inhaltsverzeichnis:Table of Contents: List of AcronymsIV I.Introduction1 1.The Information Flow Dualism1 2.Information Security: An Executive Issue1 3.Outline a Objective of This Work2 Part I: Re-defining Information Security3 II.Scanning the Information Environment4 A.Information as an Asset4 1.A Primer on Information4 2.Intellectual Capital Management6 3.The Value of Information a Pragmatic View9 B.Environmental Analysis11 1.Organisational Trends11 2.The Changing Role of Information Technology15 3.Legal Requirements16 C.Impact on Information Security17 1.Information Security Working Hypothesis17 III.Key Aspects of Information Security20 A.The Framework20 1.Linking Information Security to Risk Management20 B.Components of Information Security22 1.People a Organisation22 2.Processes27 3.Security Architecture33 C.Current Information Security Approaches34 1.Overview34 2.The Need for an Integrated Approach38 Part II: Value-Based Transformation Towards Integrated Information Security40 IV.Achieving Integrated Information Security41 A.Knowing the Destination41 1.Integrated Information Security41 2.The Business Value of Information Security43 B.Co-ordinated Transformation47 1.The Need for a Roadmap47 2.The Information Security Maturity Model49 3.The Measurement Architecture52 4.The Maturity Levels Characterised61 5.Avoiding Pitfalls in the Implementation Process67 6.Evaluation69 V.Conclusion71 VI.List of Figures74 VII.Bibliography75 1.Used for Citation75 2.Used for Context Research83 VIII.Appendix87 1.Information Security Cause-and-Effect Diagram88 2.Change Options Matrix89 3.Information Security Capability Matrix90META Group, 2000 Moore, 2000 Murphy, Boren aamp; Schlarman, 2000 OECD, 1998 Paulk et al., 1993 PwC aamp; DIHT, 2000 Quinn, ... Scholtz, 1999c Torsten Kriedt Achieving Business Value in Information Security 80 Bibliography - Used for Citation.

Title:Achieving Business Value in Information Security
Author:Torsten Kriedt - 2002-10-29


You Must CONTINUE and create a free account to access unlimited downloads & streaming