Recursive application for the perspective information security

6 The Enterprise Coherence Framework

6.8 Recursive application for the perspective information security

In this section we show how the recursive property of GEA can be applied using a case study taken from the field of information security.

Information security from a historical perspective

The desire for more rigorous answers to security issues arises partly from changes in legislation, partly from the availability of new technology and from the need to deal with an aggressive hacker community. Additionally we found that in case of performing risk analyses and determining mitigating security measures, there is often little attention paid to security of information at board level. Security is mostly seen as a technical matter, to be handled via the IT department. Experience shows that the implementation of security projects is often an afterthought, possi- bly in response to a security break, and must be realized after the sensitive information is available. The consequences are that inadequate security requirements are included in the design phases of applications, making these systems not optimally protected against threats, and this can lead to security incidents resulting in damage to reputation, loss of business data and associated high repair and failure costs. A recently published report, prepared by the Cylab of Carnegie Mellon University [127], indicates that many top managers of companies do not see any link between ICT risks and business risks to their enterprises. They do not appear to have an overview of the role of computer systems and information with regard to all types of business risks. Although this is an American study, we assume that this situation also occurs closer to home, where managers have insufficient awareness of the dangers to which their enterprise are exposed as a result of inadequate information. Apparently information security does not get the priority it deserves.

In this section we give an example of how this priority can be controlled. We show how a strategy change at enterprise level acted at the information security domain through the field of information provision.

Despite a lack of perception at senior management in terms of necessity and ur- gency regarding security measures, in particular e-security measures, the discipline is growing. There are various frameworks that can be used in the field of security as for instance Zachman [131], SABSA [95], Cobit [17] and the security section of NORA 2.0. [66]. All these frameworks have in common that they provide a structure for the security infrastructures from an organizational, functional and techno- logical perspective. What these operational structures do not provide is an overview of the relationship between the security and the strategic level of an enterprise, in this section we show how, using the GEA model, this relationship can be delineated within the structure of the model.

88 Figu re 24 . C oh eren ce b et w een se vera l co ncern s a nd th ei r a lli an ces b y pro ject ion 89 6.8 Recursive application for the perspective information secu-

rity

In this section we show how the recursive property of GEA can be applied using a case study taken from the field of information security.

Information security from a historical perspective

Vision on information security

In our view, information security (IS) is a perspective of governance within the area of responsibility of the chief information officer (CIO) of an enterprise, whose guiding frameworks are directly derivable from the level of purpose of the enterprise. In this way 'automatically' the impact and solution space from IS will be included in solving strategic issues by this positioning of IS. As a result, directly the (im) possibilities of IS and its impact on all other angles of governance are discounted in the first development stage of a possible solution. Application of the governance instrument GEA will thus make a significant contribution to solving security issues within an enterprise.

Coherence between multiple levels by recursively application of GEA

In Figure 25 we show, as an example of different levels within an enterprise, the enterprise level, the level of information provision (IP) and the level of information security (IS). A recursive application of GEA is, by definition, possible for each perspective.

To show how the recursively functioning for the IS-domain can be applied we can zoom in on the IP perspective at the enterprise level. This perspective causes, in Figure 25, the GEA-circle at the level of information provision, middle circle, with the examples, perspectives governance, processes, technical infrastructure, data, information security, standardization, applications, finance, employees and laws and regulations.

If we then zoom in on the IS perspective of the level information provision, in Fig- ure 25, the GEA circle information security arises, bottom circle, with perspectives governance, availability and continuity, media management, identification, authen- tication and authorization, logging, alerting and monitoring, application and soft- ware security, hardware and network security, physical security, integrity and reliability and employees.

Figu re 25 . C oh eren ce b et w een in fo rm at io n se cu ri ty lev el / en terp ri se b y recu rs iv ity

Vision on information security

Coherence between multiple levels by recursively application of GEA

91 Figu re 25 . C oh eren ce b et w een in fo rm at io n se cu ri ty lev el / en terp ri se b y recu rs iv ity 91

Specific security issues are resolved at the information security level, bottom circle, of an enterprise as an enlargement of the IS perspective at the level of information provision, middle circle, which in turn is an enlargement of the IP perspective at the enterprise level.

The integral solution of an IS issue at the information security level can lead to a disruption of the coherence at the next higher level because of, for example, changes in the guiding statements from the perspective IS affect other perspectives at the level of information provision. This leads to an IP issue for which the integral solution can work through at the enterprise level. The recursively reasoning can also be applied upstream, showing that security issues can cause strategic ef- fects in this way.

The IS of an enterprise is naturally embedded in the decision-making processes by simultaneously applying ‘enterprise coherence governance’ at three interconnected levels of governance as discussed in chapter 7 section 2.2, and thus it gets the attention it deserves and requires.

Finally, the security aspects of an enterprise may be distributed over different perspectives, such as security as a core concept of the perspective technical infrastructure (TI) at the level of information provision. The level IS, bottom circle in Figure 25, then provides the guiding framework for this core concept.

Example of GEA elements in the IS-domain of the Dutch government

Facing the problem of many different confusing standard frameworks, that were hindering the introduction of controlled security and the implementation and management of standards for security, the Dutch government has made a strong effort in recent years to establish common standards for all its information security frameworks, leading to the definition of an integral vision in the field of information security. This government-wide framework has replaced the existing depart-

mental frameworks, and theintegral vision is expressed in a new baseline national

security (BNS) [9] document. At the time of writing, March 2013, the BNS [9] was being used in an approval process for establishing it as an integral government baseline document. Working as a consultant on this project we have had, and con- tinue to have, extensive experience in various departments within the Dutch government; because of this we felt that the BNS was a starting point in the field of information security and designed it to be governable using GEA. In public areas, the BNS is considered to be the guideline for setting up departmental security measures within the Netherlands.

In the sense of purpose at the level of information security, see the triangle of the bottom circle in Figure 25, the goal of the BNS is to contribute the debate on the IT security of governmental authorities.

Some examples of the guiding statements taken from the BNS are given below. Risk management is the starting point for information security

The methods for classification of information and the effectiveness of security measures should be assessed regularly

Employees must demonstrate responsible and conscious behaviour with re- spect to working with government information

The BNS is based on a number of laws, norms and standards, see Figure 26, such as the VIR (Voorschrift Informatiebeveiliging Rijksdienst), the Dutch national requirements on governmental information security, a baseline of information security for the entire civil service. Each Dutch government ministry also possesses its own information security baseline. However, with the increasing flow of information between the different ministries there is a need for a more comprehensive, government-wide baseline, the BNS.

Once finalized and accepted as a legal document the security codes of the BNS will replace all departmental and interdepartmental baselines in the field of information security within the Dutch government. One of the main aims of using the BNS will be to obtain secure contact between the different Dutch ministries and departmental networks and promote the sharing of information. In this context the BNS can be used to select the desired level of reliability of information provision for specific cases.

Figure 26. Basis for BNS

Regarding the development of the perspectives and core concepts at the design level of the level of information security, bottom circle of Figure 25, the grouping

Standards Laws

Norms ISO/NEN 27001

VIR-BI VIR

Personal Data Protection Act

The Criminal Code on Computer Crime II Act on Governmental

interaction

Act on Electronic Signature

Security Framework Web Applications