Presentation
Developing an Architectural Description for the Information Security Management Viewpoint
This paper reports on part of a doctoral dissertation research project in information security management. One of the aims of the project is to develop an appropriate architectural framework and methodology that could enable integration of information security management with enterprise life cycle processes.
Over the years, the focus of information security has evolved from the physical security of computer centers to securing information technology systems and networks, to securing business information systems. The proliferation of computer networks and the advent of the Internet added another dimension to information security. With the Internet, computers can communicate and share information with other computers outside an organization's networks and beyond their computer center. This new mode of communication meant that the existing security model was inadequate to meet the threats and challenges inherent in this new technology infrastructure. A new model of information security management is needed to meet the security challenges presented in this new environment. This has motivated the focal area of this research in information security management. Part of meeting this new challenge could also include the resurrection of risk as an important component of information security management.
The results of this research would be important to any organization with a need for a secure business environment. The research results will also be important to individuals responsible for managing information security in their organizations, as well as to senior executives and members of corporate boards of directors, because of their increased statutory responsibilities to secure various types of information in their organizations.
The scope of the paper is limited to the process and method for architectural descriptions for the information security management viewpoint, in the context of enterprise security domain. Information security management in the enterprise may be viewed at three main levels, namely strategic, tactical, and operational. The motivators for security management are that it should be policy-driven (strategic level), guidelines-driven (tactical level), and measures-driven (operational level).
Because information security is concerned with securing enterprise business systems and related business processes, by default, information security management is a cross-functional activity. This means that existing enterprise business systems architectures could be used as reference models for developing an architectural description for the information security management viewpoint.
A meta model, developed in this research, for the information security management viewpoint includes various components. Details of the meta model are provided in the presentation slides. Some elements (the meta primitives) of the meta model are business strategy and mission, security management goals and objectives, security management system, security management program, information security framework, process improvement model with supporting methodology, and enterprise business systems.
An architecture framework is an important mechanism in developing architectural descriptions. The Open Group views an architectural framework as a tool that may be used for developing a broad range of different architectures. Details of an architecture framework for the information security management viewpoint are provided in the presentation slides. The important elements of this framework are stakeholder, principles, purpose, level of abstraction, organization layer, context, representation scheme, modeling scheme, standards, and the required technology.
Security governance structures derive similarities from IT governance arrangements. All members of an organization have responsibilities for information security. This would be an important consideration in choosing an appropriate security governance model.
From the results of the research so far, the information security management viewpoint calls for a phased approach with iterative process models that include several elements, supporting methods and specific outputs. The viewpoint should also include an integrated process improvement model, with supporting methodology.
Currently, the main doctoral research is in the “demonstration of concept” stage. In this stage, the conceptual model will be validated in terms of the stated research problem. Potential outcomes and value of validation of the research proposition could be an approach to implementing an information security management system. This would include an information security policy framework, a methodology, and a supporting process model that is regarded as essential to managing information security in the enterprise.
return
to program
|