Integrated Information Management Systems

Integrated Information Management Systems

LudČk Novák

[email protected] ANECT a.s. Brno, Czech Republic

Abstract

The article tries to find consensus in these tree different types of the management systems – the quality management system, the IT service management system and the information security management system, which are frequently used for information management. An aim is not to choose the best method, but to compose a complex framework based on advantages and synergies.

The author describes his experience with integrations of the tree types of the management systems into one consistent information management framework. The integration is based on similarities of the management systems especially on the PDCA Model, which is a key shared principle. The second principle is an effort to incorporate information risks into each type of systems. There is not possible to manage risk properly without close connection to realising information and communication technology benefits these days.

Keywords:

1 Introduction

Wide using of information and communication technology (ICT) has a very serious consequence – organizations are more and more dependent on quality, reliability and security of their information and communication systems including all related processes and activities. Provision of more effective and efficient services with appropriate reliability and security is an essential responsibility of people who are involved information management.

Information management aims are also shifting. Increasing importance of ICT for organizations’ everyday life means it is not more acceptable just administrates and maintains ICT infrastructure. An information management primer role is to manage and improve IT services, which are able to deliver defined and measurable added values for business units. So information management gains an essential position in general business management and strategy.

There are several best practice methodologies or standards in the information and security management world. CobiT (Control objectives for information and related technology), ISO 9000, ITIL (Information Technology Infrastructure Library), BS 7799-2 and/or ISO/IEC 17799 are the most general frameworks. New requirements on information management have appeared recently (like Basel II, Sarbanes-Oxley Act, critical information infrastructure protection etc.) and emphases needs for information management systems based on international standards and open methodologies.

BASEL II – the new capital accord establishes new requirements on operational risk control in banking. ICT is a key element of the operational risk and banks should adopt process driven approach to risk management, information management and operation management.

The Sarbanes-Oxley Act establishes new mandates for financial reporting based on internal control environment. Company’s managers are fully responsible for the internal controls and should make statement about the internal control. Most financial reporting processes are driven by ICT, so strong information management is also a key element. And information managers and other ICT professionals are held accountable for the quality and integrity of information produced by ICT.

2 Starting points

The regulation examples mentioned above present current situation in information management. The new requirements do not distinguish among information management, information risk management, information security management, ICT operations etc. There is just one control framework for information management and the basic question is if any information is presented trustfully?

2.1

Information added value

According to the current needs information management has to find and defines an appropriate information added value (or ICT added value) much more extensively. There are tree general types of the added value connected with ICT:

x Increase automation – an organization is able to align its business and information management and enlarges its production and performance by using ICT – the organization is effective (It does good thinks). x Decrease costs – an organization is able to use resources responsible and reduces costs and other expenses

by using ICT – the organization is efficient (It does thinks well).

x Manage risks – an organization is able to adjust security measures and minimises security incidents, related risks and possible damages – the organization is secure.

Manage risks

Increase

automation

Decrease

costs

ICT

added

value

Figure 1: ICT added value

The existing information management needs and requirements stress all tree types of the information added value. There is an important issue to find a balance among all tree types, because it is not possible to realize ICT benefits without proper risk management. On the other hand information risks should be in close connection to the ICT benefits and reflect them. This is a complex outlook on information management sometimes called IT governance.

2.2

IT Governance and CobiT Methodology

IT Governance is a structure of relationships and processes to direct and control the organization in order to

achieve the organization’s goals by adding value while balancing risk versus return over ICT and its processes. [1]

CobiT (Control Objectives for Information and related Technology) [1] as an IT Governance model is a complex information management framework and its basic idea says “Information management should reach effective balance between realising benefits by increase automation or decrease costs and managing risks”. To accomplish this, information management needs to identify most important activities to be performed, measure progress towards achieving goals and determine how well the ICT processes are performing.

The COBIT concept is that control in ICT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of ICT resources that need to be managed by ICT processes. To satisfy business objectives, information needs to conform to certain criteria. The following tree basic elements form the CobiT framework: x Information criteria present business goals and needs and their implications to information management

(effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability).

x ICT resources are available means which can be used by information management (data, applications, technology, facilities, and people).

x ICT processes are all activities and tasks related to information management form four broad domains (planning and organization, acquisition and implementation, delivery and support, and monitoring).

In summary, in order to provide the information that the organisation needs to achieve its objectives, IT governance must be exercised by the organisation to ensure that ICT resources are managed by a set of naturally grouped ICT processes. CobiT as a useful tools calls attention to:

x Organization contribution – ensuring effective IT governance and information management, x User orientation – measuring up to business expectations,

x Operational excellence – performing the ICT function with increasing credibility and impact, x Future orientation – building the foundation for future delivery and continuous learning and growth. CobiT methodology is ideal for establishing a complex and comprehensive control environment for information management. But there is a significant shortage. The ICT processes are not defined so deeply in CobiT. It was not authors’ aim to describe all details, but it is better to use another guidance to implement information management from the practical point of view.

2.3

Integrated information management system requirements

There are thee types of the ICT added value and successful information management should integrate all aspects – quality, reliability and security. This information management system should be composed from the following: x Good relationship with business management and users of information and communication systems

enhancing effectiveness is essential to a quality management system;

x Effectiveness of all ICT operations based on proper IT service delivery and support reducing expenses is a main goal of an IT service management system;

x Control and limitation of information security risks and possible damages is a key benefit of an information security management system.

Information security

management

Quality

management

IT service

management

CobiT

Are these tree different information management systems compatible each other or not? And can effective and efficient integration stand on advantages and synergies of the management systems? You can hear similar questions quite often these days.

3 Information management system basic components

The quality has quality management systems based on ISO 9000 (or ISO 90003 in IT). The reliability establishes an IT service management system follows recommendations of BS 15000, which generalizes ITIL and the security stands for information security management system, which applies controls from BS7799-2 or ISO 17799. Each management system and its contribution to the integrated information management system are discussed in the next text.

3.1

Quality management system

Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and

implied needs. [ISO 8402]

A Quality Management System (QMS) is a well-known management system emphasises an importance of customers and their requirements for any business management. ISO 9001:2000 [2] is a familiar example of a collection of quality best practices. The principles are valid for information management too, so business unit and user requirements are seriously important issues. Excellent information management should systematically discover user ideas and transform them properly to the real life. QMS’s added value is to increase automation and partly to decrease costs.

An suitable level of internal process formalism (like process definition, resources management, document management, record management) is another advantage of QMS. The guidance ISO/IEC 90003:2004 [3] covers all aspects of software quality, from acquisition to supply, including development, operation and maintenance of computer software, and providing guidance on how to implement highly successful ISO 9001:2000 process driven approach in a software environment. The structure of the standard demonstrates the comprehensiveness of the five perspectives (see the figure 3).

ISO/IEC 90003

Figure 3: Basic structure of quality management system for software engineering

A lot of organizations are running QMS, so information management can use QMS’s tools and rules as guidance for document management, resource management, record management etc. There is also useful to add a concept of information management into QMS framework not to establish any parallel structures. QMS’s culture in the organization is a useful asset too, so it can be promoted to include information management and/or information security management issues.

3.2

IT service management system

IT service is a described set of facilities, IT and non-IT, supported by the IT service provider that fulfils one or

more needs of the customer and that is perceived by the customer as a coherent whole. [15]

IT Service Management (ITSM) is relatively a new approach to information management, which is concentrated on ICT operation processes. ISTM is primary known as the process and service-focused approach to information management. ITSM addresses the provision and support of IT services tailored to the needs of the organization. ITSM offers a common framework for ICT activities, as part of the provision of services, based on ICT infrastructure. These activities are divided into processes (see figure 4), which when used together provide an

effective ITSM framework for service delivery and service support. ITSM brinks decrease costs and partly increase automation for the organization.

Service delivery processes

Realationship

Processes

Resolution processes

Release

process

Capacity management

Release

management

Control processes

Supplier

management

Business

relationship

management

Configuration management

Problem management

Change management

Incident management

Information security

management

Service level management

Service continuity

and availability

management

Service reporting

Budgeting and

accounting for IT

services

Figure 4: IT service management processes

ITSM concept is defined by two standards: the first BS 15000-1:2002 [5] describes system specification and a code of practice is presented by the second BS15000-2:2003 [6]. There is a huge public interest consequently both standards are adopting as new international standards ISO/IEC 20000 - IT Service Management in short way.

ITSM concentrates on high reliability a transparency of ICT operations. A primary aim is to define operation processes including relationship and measurements, monitor and supervise process realizations and enhance operation effectiveness based on results and trends. ITSM is an ideal way, how to control, monitor and improve internal ICT operations.

ITSM is not just about the standards. The philosophy comes from IT Infrastructure Library (ITIL) which is a complex set guidance, how to design, build and run ITSM. The documents describing service delivery and service support are a core the whole ITIL library.

3.3

Information security management system

Information security is preservation of confidentiality, integrity and availability of information; in addition,

other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved. [8]

An Information Security Management System (ISMS) concentrates on definition of processes connected with information risk analysis and treatment and the ICT added value is to manage risks.

The standard BS 7799-2:2002 [11] defines ISMS requirements and specifies how to design, enforce, control and improve information security management. There is a draft of a new international standard ISO/IEC 24743 [12] based on BS 7799-2:2002 and a final version is expected at the end of 2005. A key element of any ISMS is an information risk management and treatment process which concentrates on choosing proper security objectives and controls.

A code of practice for information security management and other ISMS best practice are described in ISO/IEC 17799:2000 [7]. A new version is ready to be published by summer 2005. Information security management categories on the following figure present the basic extend of ISO/IEC 17799:2005 [8].

ISO/IEC 17799:2005

Organizing

information

security

Information

systems

acquisition,

development and

maintenance

Information security incident management

Access control

Business

continuity

management

Compliance

Human

resources

security

Security policy

Asset management

Communications

and operations

management

Physical and

environmental

security

Figure 5: Information security management categories

A draft of ISO/IEC 24742 – Information security management metrics and measurements [13] is currently in progress. An aim is to add tools, how to define measures and indicators into ISMS and sometimes it is called the 3rd part of BS 7799.

4 Shared principles of management systems

4.1

PDCA Model

All presented management systems have a vital shared principle called PDCA Model (Plan – Do – Check – Act). The model defines a basic cycle for each management system. The cycle starts with planning of activities and defining expected results. Implementation and running as the second part is followed by monitoring all defined activities to have appropriate information on success of implementation, its strengths and weaknesses. This outputs and realised experiences should be used to continual improvement of the management system.

Requirements

Plan

Do

Check

Act

Customers

Suppliers

PDCA Model external connections are important too. Customers (or users) are one side of externalities and suppliers are the other. The PDCA model requires a clear expression of customer requirements and proper monitoring their satisfaction. On the other hand the organization should define requirements to its suppliers and watch, how the suppliers fulfil the needs.

PDCA Model is a key principle which makes possible to integrate tree management systems concentrated on different management topics. The other shared principles related to PDCA Model includes management responsibility and commitment, resource management, documentation and record control, awareness and training, management reviews, continual improvement etc.

4.2

Standpoints to improve ISMS

The conference main topic is information security and protection so we look at benefits of the information management integration for ISMS. At first it is important to mentioned positive influence of QMS on ISMS. QMS is a well-known application of PDCA Model, so any good experience could be used for advocating ISMS. Using existing tools and following establish culture should be other preference for ISMS. Last but not least thing is share existing QMS structure in contradiction to create wholly new framework for ISMS.

Relation between ITMS and ISMS contains more synergies. ITSM comprehends IT services as a fundament of information management. Consequently it is advisable to apply this approach into ISMS. It means that IT services should be a starting point for risk analyses and risk treatment processes. This approach allows taking information security requirements as a part of IT service and including security into IT service reporting as a result.

Change management is other large room for collaboration ITSM and ISMS. ITSM offers deeper inspection and more detail description of change management and related processes. ISMS can use this quite easy including configuration and release management. Incident management has a bit difficult situation, because ITSM recommendations should be join up with information security incident management requirements defined by ISO/IEC TR 18044:2004 [9]. At the end it is necessary to warm, that availability and continuity management have similar rules and residual problems are related to business comprehensions.

5 Conclusions

It is not possible to discuss all information management aspects and their information security consequences. The aim is to call attention to needs of joining different views. The integrated information management system makes possible to take advantage of all existing similarities. It is clear that each discussed management system stress its perspective, but there no barriers to improve each other. There are no limitations from this lookout.

References

[1] COBIT 3rd Edition, Information Systems Audit and Control Foundation, ISACF 2000. [2] EN ISO 9001:2000 – Quality management systems – Requirements.

[3] ISO/IEC 90003:2004 – Software engineering – Guidelines for the application of ISO 9001:2000 to computer software.

[4] Suryn, W., Hailey, V. A., and Coster, A.: Huge potential user base for ISO/IEC 90003, In ISO Focus,

Volume 2, No.2, pp. 26-30, February 2005.

[5] BS 15000-1:2002 – IT Service Management – Part 1: Specification for service management. [6] BS 15000-2:2003 – IT Service Management – Part 2: Code of practice for service management. [7] ISO/IEC 17799:2000 – Information Technology – Security Techniques – Code of practice for

information security management.

[8] ISO/IEC FDIS 17799:2005 – Information Technology – Security Techniques – Code of practice for information security management.

[9] ISO/IEC 18044:2004 – Information Technology – Security Techniques – Information security incident management.

[10] Humphreys, T.: Being prepared to tackle threats to your business, In ISO Focus, Volume 2, No.2, pp. 13-15, February 2005.

[11] BS 7799-2:2002 – Information security management systems – Specification with guidance for use. [12] ISO/IEC FCD 24743:2004 – Information Technology – Security Techniques – Information security

management systems requirements specification.

[13] ISO/IEC 1st WD 24742:2005 – Information Technology – Security Techniques – Information security management metrics and measurements.

[14] http://www.iso.ch/ [15] http://www.ogc.gov.uk/