Coding Results for Security Management Approach

Participants were asked a range of questions on the operational structure for security, the main approaches taken to manage security, if the approach was effective and if standards had been adopted as part of the approach, and how improvements could be made. Table 6 provides a coding summary for this area, and Figure10 depicts coding relationships.

Table 6 Coding Summary for Security Management Approach

Code Density

Benefit of Structured Approach 41 Intended or Actual use of 17799 28 Ad Hoc Use or No Use of Standards 17

Inadequate Human Resourcing 12

Raise Awareness and Understanding 12 Issues with Decentralisation of IT 7

Allocation of Funding 5

Reactive Approach 5

Senior Management Engagement 4

Information Security Governance 2 IT Security Seen as IT Problem 2

Competing Work Priorities 1

_____________________________________________________________________________________ is cause of is part of is part of is cause of is associated with is part of is cause of is part of is associated with is cause of is cause of

is part of Structured Approach Necessary{41} Intended or Actual use of 17799{28} Ad Hoc Use or No Use of Standards {17}

Inadequate Human Resourcing {12}

Raise Awareness and Understanding {12}

Issues with Decentralisation of IT {7}

Allocation of Funding {5} Reactive Approach {5}

Senior Management Engagement {4}

Information Security Governance {2}

IT Security Seen as IT Problem {2}

Competing Work Priorities {1} Lack of Measurement {1}

Findings on Security Management Operational Structure

Participants were asked a number of questions in relation to the approach taken to operationally manage information security. This included gathering information on the operational and reporting structure. In all cases, security practitioners reported that they reported internally within IT. Within IT, this was generally a level such as Infrastructure Manager, Communications Manager, Network Manager and sometimes the IT Director. What was noticeable was that no security practitioner reported directly outside of IT, to a Senior Management level, Risk Manager or similar.

Some (very few) organisations, stated that they still lacked a dedicated role for the management of Information Security. It was apparent in those cases where the institution lacked a dedicated security function, led by a full time resource, those institutions suffered a substantial disadvantage compared to those institutions that had one or more resources allocated to security. The absence of a dedicated security coordinator impacted the institution’s ability to establish and drive a centralised and coordinated approach to security. In most cases, the institution had a security

practitioner who operated with a ‘virtualised team’, with team members physically in other sections, but accessible by the security practitioner. Only some of the large institutions had dedicated technical staff in a dedicated security team environment. A typical comment which sums up both the common ‘virtualised structure’, as well as the lack of coordinating role without a security practitioner is:

‘We don’t have a body or group responsible for that all encompassing view of security, so there is no operational structure per se, although I guess the defacto structure is individuals in other areas have responsibility for their area, so there is the server people looking at your server security, the applications people who have DBAs (Database Administrators) looking after that component, the network services people looking after the physical security and looking at Mac (Media Access Control) addresses for

registration to permit access etc, so looking at the big picture it’s quite distributed, and what has occurred to me thinking about this question for you, is that we lack the coordinating role’

Findings on Approaches Adopted for Managing Security

Participants overall were positive on their management approach to security. The most common approach for management was cited by 60% of participants based on incident management (Figure11). This was followed closely by risk management and managing as part of the IT plan. However, approximately one third of participants indicated the use of an ad hoc approach to managing security. The management of security in relation to incidents was described as being either ad hoc or reactive. A few organisations

described their management of security as being well-defined through a framework or coordinated structure.

Approach Adopted for Managing Information Security

0 10 20 30 40 50 60 70 Adhoc Approach Part of IT Plan Risk Management Incident Management % of Participants

Figure 11 Approach Adopted for Managing Information Security

Findings on Effectiveness of Management Approach

When participants were asked if they thought the existing approach taken to manage information security was effective, the majority of participants were relatively positive about how effective their approach was (Figure 12). However, many participants noted

that room for improvement existed. In some cases it was considered by participants that while the actual management approach in itself was appropriate, its effectiveness was hindered by other organisational constraints, priorities, or cultural barriers. In some cases it was considered that the enforceability of the security approach needed to be enabled, requiring senior management backing or support.

Existing Approach for Managing Security is Effective

0 10 20 30 40 50 Disagree Somewhat Disagree Somewhat Agree Agree % of Participants

Figure 12 Participants Who Considered Existing Security Management Effective

Findings on Changes Required to Improve Effectiveness of Management Approach

A pattern emerged where the single issue considered necessary to improve the management approach for security was to move away from existing ad-hoc activities towards a structured, holistic approach (Figure 13). This approach should integrate more effectively with the business, indicating that point solutions needed to be replaced with a more cohesive model. The current ad-hoc approach resulted in risks improperly quantified, or not fully understood and acted upon. This also affected other activities such as development of policy, standards and guidelines for security, as well as awareness raising and the promulgation of security information in general.

Changes Required to Improve Management Approach

0 10 20 30 40 50 60

Additional Resourcing Improved Awareness More Structured Approach

% of Participants

Figure 13 Changes Required to Improve the Security Management Approach

Comments follow which typify this finding, and conversely, the last comment describes the effectiveness of having a structured approach:

‘I think at the moment it is fragmented though, we have got web security, we have got data security, we have got server security, we have got holes in firewalls as a result of faculties doing their own thing, and so there is a variety of areas where standards and policies even though they may exist to varying levels of completeness, are not being held together in a neat tight way, because the management of it is weak, and I think that is the challenge together, to draw those strands together and to lay over it a structure’

‘it is achieving security requirements however I would like things to be more structured’

‘We have a concern that we don’t have enough coordination, and thus a standards based approach’

‘It is more of an ad hoc approach. It is also very

reactive. I guess not totally effective, it would be nice to have some sort of structured strategy’

‘Agree - the framework exists to make sure we can manage it properly, the planning exist to make sure we can stay up with the act, the policy and the procedures exist to make sure that we are following things in a way routine manner, and the awareness exists, clearly we can do better, always, but I think it is doing what it needs to do’

Consistent referral was made to specific areas that cohesively would improve levels of governance. Participants indicated they saw a need for security to be more structured and for strategic alignment to the business function within the organisation. This was seen as necessary for security to be driven by organisational requirements, to achieve better integration with the business, and for the security function to match the actual processes used within the organisation.

Due to competing priorities, the necessity to prioritise and distribute efforts to areas with the greatest impact was noted as being critical to ensuring appropriate security adding value. The need to highlight information security as a business issue (rather than an IT owned issue), and to illustrate the enabling of security to the business involved moving the focus away from security as being restrictive. Another identified issue was

establishing university applicable security practices. Many participants saw a need to draw from the vast array of already existing security practices and establish a set of university sector relevant security practices and guidelines.

A second theme predominant in the finding was that of raising awareness and understanding towards security:

‘So it comes down to increased awareness, and a strategic ICT plan, like at this institution it is too ad hoc’

‘It sort of goes back to the old one, a better understanding, a broader and better understanding of risk’

‘The management approach itself is ok, it comes down to awareness, so basically more funding and a higher level of awareness’

‘so we think more than anything we need to get this awareness happening’

‘The other thing is improved awareness at all levels’

The issue of funding was also raised, with the following types of comments reflecting findings:

‘I think having a link into the budget process, so that there are opportunities for us to say ‘going forward these are major risks in this area’, and for us to be able to prioritise all of the demands for money in a more structured manner I think would be really beneficial’

‘some funding for centralised security management’

‘Looking at the strategy, to meet the needs of those functional needs, and resources required’

Findings on the Use of Security Management Standards

Less than half of the participants stated they used security management standards. Of those that did, almost all indicated 17799, or a state level adaptation of that standard. Many participants stated that they would like to see university sector applicable standards - standards that were designed to provide universities with a baseline, allow

benchmarking, and prevent universities from having to ‘reinvent the wheel’. This was despite less than 50% of participants citing an active use of existing standards.

It was evident that many university security practitioners and administrators already had some well-developed locally based, technical standards that they applied to security. Although 17799 was often quoted as being a preferred management standard, several participants were critical of the standard, suggesting that following it would be highly time consuming and resource intensive, and that it was not necessarily applicable to the university environment.

Similarly, feedback indicated that auditors used a different standard to 17799 for auditing of security (primarily COBIT). Although several state governments have mandated state level adaptations of 17799, not all universities are proceeding in this area. The standard recommends that organisations develop an information security management system based on organisational requirements, and then adapt the standard as necessary. Findings from the survey indicate that 17799 is the preferred choice for a security standard, but clarity is lacking on implementation.

_____________________________________________________________________________________