IS/IT security controls and security standards 17

Having IS/IT security controls and security standards in place does not mean that the security of IS/IT is well managed (Baker, et al. 2007). As reviewed by Baker et al. (2007), previous studies were predominantly focused on the presence or the absence of security controls or security procedures but not on the quality of implementation. To understand better how the IS/IT security procedures have been implemented in managing IS/IT assets and business information security risk, Baker et al. (2007) has designed a web survey addressing 16 categories of general security domains. These 16 categories by Baker et al (2007) are presented in Table 2-2.

GENERAL SECURITY CONTROL DOMAINS NUMBER OF CONTROLS

Antivirus software 4

Back-up and recovery 5

Business continuity/incident response 5 Employee training and awareness 6

Help desk/IT support training 4

Staff hiring and termination 4

Monitoring and logging 4

Network auditing and logging 6

Network security management 6

Passwords and access control 4

Physical security 9

Remote access security 4

Sensitive data handling and protection 6

System-level security 4

Technical documentation 4

Testing and review 5

Table 2 Table 2.2 Major security domains and number of controls (Baker et al. 2007)

Interestingly, the 16 general security control domains covered the three components of Technical, Formal and Informal. For example, controls like Antivirus software, back-up and recovery were identified as the Technical component. The examples of General Security Control Domains for Formal component are business continuity and incident response. While the Informal component was not represented exclusively by any of the 16 categories, it is presumed the Informal component has been incorporated within the implementation of both Technical and Formal components.

The demographic findings by Baker et al (2007) were that there were 349 respondents participating in the web survey which included Information Security Executives, Managers and Technical Specialists. The results show that the 10 top security domains were rated the highest in respect to implementation quality such as anti-virus software (technical), back-up and recovery procedures (operational), system level security procedures (technical) and accessible technical documentation (management). However, the lowest implementation quality ratings were predominantly presented by the management category such as Help desk/IT support training, business continuity/incident response, monitoring and logging procedures. The survey results have indicated that implementation quality was affected significantly by organisation size and industry. The study found larger organisations have bigger IT budgets for security controls and counter-measures. Industry type, like finance, was scored highly and education industry type, like education institutions, was scored lower for each of the 16 categories of general security domains, as identified earlier in Table 2.2 (Baker et al, 2007). Figure 2.1 shows the disparities among industry groups.

1.Figure 2.1 The security controls quality differences among industry groups (Baker et al, 2007, p 44)

For instance, the deployment of firewall technology is an example of an IS/IT security control that may be recommended by a security standard. However, the implementation of firewall technology is insufficient if there is no measure taken to assess how well the implementation is achieved by an organisation. The function of IS/IT security controls is to shield corporate vulnerability from various attacks from internal and external sources. If the IS/IT security control is not functioning well and IS/IT may be vulnerable and so increase business risk.

While IS/IT security controls provide security counter-measures, IS/IT security standards provide proper requirements which should be followed within the organisational IS/IT Security Policies and Procedures.

b) IS/IT Security Standard-17799/BS7799

The 17799/ BS7799 is an international standard for security management that can be used by small to large organisations. Historically, it was published by the British Standards Institution (BSI) in 1992 as an Industry Code of Practice. In 1995, the Code was up-graded to the UK Standard level, BS 7799. And finally in 2002, the standard was internationally recognised as 17799/ BS 7799-2:2002. The history has shown us the dramatic changes in the evolution of 17799/ BS 7799 over several years.

The purpose of the standard is to provide a framework for organisations in order to examine and improve the security of IT systems environments. In nature, the 17799/BS7799 standard is a comprehensive and risk-based approach. It allows organisations to decide the security needs (e.g., in terms of Control Objectives) which are based on the risk assessment they have conducted.

The 17799/BS7799 has covered ten key security areas including the scope of the standard, as follows:

1. Area: Security Policy

Standard: Demonstrate the management commitment to, and support for, IS/IT security.

2. Area: Organisational Security

Standard: Develop a management framework for the coordination and management of IS/IT security in

the organisation: allocate IS/IT security responsibility. 3. Area: Asset Classification and Control

Standard: Maintain an appropriate level of protection for all critical or sensitive assets.

4. Area: Personnel Security

Standard: Reduce the risk of error, theft, fraud or misuse of computer resources by promoting user training and awareness regarding risks and threats to information.

5. Area: Physical and Environmental Security

Standard: Prevent unauthorised access to information processing facilities and prevent damage to

information and to the organisation’s premises. 6. Area: Communications and Operation Management

Standard: Reduce the risk of failure and its consequences by ensuring the proper and secure use of

information processing facilities and by developing incident response procedure. 7. Area: Access Control Security

Standard: Control access to information to ensure the protection of networked systems and the

detection of unauthorised activities.

8. Area: System Development and Maintenance

Standard: Prevent the loss, modification or misuse of information in operating systems and application

software.

9. Area: Business Continuity Planning

Standard: Develop the organisation’s capacity to react rapidly to the interruption of critical activities

resulting from failures, incidents, natural disasters or catastrophes. 10. Area: Compliance

Standard: Ensure that all laws and regulations are respected and that existing policies comply with the

security policy in order to ensure that the objectives laid out by senior management are met.

These ten areas of 17799/BS 7799 have covered many facets which range from technical, human, legal to business survivability.

Entrust (2003-2004) reported that the ten IS/ITO 17799/ BS7799-2:2002 chapters (which include 127 elements) were exclusively used by the Boards, the CEO, the CIO and the business unit executives in order to know the state of an organisation’s IS/IT security, identify the top security issues and see the security progress made since the last reporting for future plans action.

Studies have shown that 17799/ BS 7799 offered several benefits to organisations. The many facets of 17799/BS 7799 have gained attention among businesses internationally to employ the standard. The standard, 17799/ BS 7799-2:2002, is seen as the best reference framework for IS/IT security management as it offers the combination of comprehensiveness and international level of acceptance within a business (Entrust 2003-2004). It is important to highlight that 17799/ BS7799- 2:2002 is one of the standards which allow organisations to undergo a third party audit and become certified (Germain, 2005). Furthermore, Germain has compared 17799/BS7799 with several other

existing standards and the results of comparison indicated that only two standards, 17799/BS7799 and Common Criteria for IT Security Evaluation (ISO 15408), offered certification to organisations. While ISO15408 provides certification rather on the technical aspects of information systems, 17799/BS7799 covers a wider aspects of organisational and administrative matters.

Ezingeard et al. (2005) found that 17799/ BS7799-2:2002 was primarily used as a marketing tool to generate customer confidence and attracted investors with well established procedures.

Businesses around the globe started to adapt 17799/ BS 7799-2:2002 as an IS/IT security standard. It is widely used by international organisations in places other than the UK such as Asia (including Japan, China, India, Taiwan, Korea), Australia (Waloff, 2002), Europe (including Germany, Italy, Netherlands, Finland, Hungary, Ireland, Norway, Sweden) (Osborne, 2006; Ezingeard, 2005) and North America (Entrust 2003-2004).

However, 17799/BS7799 standard has limitations. The 17799/BS7799 standard is concerned with the existence of the processes rather than how effective is the implementation achievement of the goals towards the processes (Siponen, 2006). It focuses on the existence of processes rather than on how well the processes or activities are being accomplished. For instance, promoting user training and awareness regarding risks and threats to information is an example of IS/IT security standard. Organisations put more emphasis on setting up the training and awareness programme than ensuring the process achieves the procedures, regulations or laws and achieves the goal of IS/IT security. This may be due to insufficient internal controls over the standard processes. Since IS/IT security issues are predominantly social and people problems (Dhillon et al, 2000), adequate internal controls over the IS/IT processes are crucially important.

A limitation of standards arises from a compliance-led approach which has influenced the way people implement IS/IT security in organisations. A simplistic, compliance-led approach is not effective for IS/IT security because IS/IT security is not only a technological problem but also a social and organisational problem (Dhillon et al., 2000). It has been identified that the three security principles, namely, confidentiality, integrity and availability, were limited and applied to technical perspectives only, they were not applied to organisational and social aspects. Dhillon et al (2000) extended the security principles definition to human aspects including responsibility, integrity of people, trust and ethicality. However, no research and empirical study were conducted by Dhillon et al (2000) to validate the claim because it was rather a Technical Opinion paper.

As IS/IT security involves many disciplinary areas, the board and senior management have to be able to put in place effective mechanisms through IS/IT security controls and IS/IT security standards. An effective mechanism which is internal controls can be used to ensure the placement of IS/IT security controls and standards at any level within the corporation to achieve the corporation’s goals. There is a lack of studies that emphasise how IS/IT security controls have been achieved, communicated and reported between and among the board, senior management and all employees.