Information Security Management by Thierry J. Ruch
Managing Information Security
Due to the increasing use of information systems during the last decades, managing information security and handling security incidents has become a very important topic of the Information Management.
Information Security aims for protecting information and information systems from unauthorized access, use and modification. These targets represented by the three goals of Information Security: confidentiality, integrity and availability. Due to the fact that Information Security should be oriented to business needs, so that it can be defined as follows:
Information Security is a deliberately level of integrity, availability, confidentially and accountability which is reached through the usage of strategies, procedures and technical measures to create trust for business and customers to the electronic environment, in which the company operates and offers its services.
According to Müller (2005) and Krcmar (2005) the “Management of Information Security” can be defined as:
Management of Information Security is the management of all Information Security related risks, which encloses the totality of all activities and measures for a goal directed identification, analysis, control and monitoring of information management related risks across all related people, processes and technologies.
Our goal in this field of research is to identify or develop an Information Security Management Process Model that allows to cope the actual and rising challenges in this field and that offers an effective foundation for Information Security Management in practice.
At the moment we are working on this topic closely together with our partner from the COMIT AG, a Swiss consulting company with a focus on the financial sector.
Some of the important challenges in this area are described below.
Challenge: Business networking
Nowadays companies are connected with many other companies to produce and deliver their services and goods. These connections are mostly based upon IT. Even a lot of employees of different companies are working together - sometimes without knowing each other. This highly integrated network can not be secured just by technical measures.
Challenge: Measuring
Management can be defined as the steering and controlling of the business. Both processes need lots of information about the actual status of the Information Security of an organization. But measuring it is a big problem in practice and research. Due to this fact no standard has developed in this area up to now.
Challenge: Complexity and Resources
It is necessary to use a comprehensive management system to address all kinds of threats - ranging from technical issues up to disgruntled employees. Limited resources are increasing the lack for an comprehensive but also lean management system in most cases.
Derived from the Business Engineering model such a management model should be based upon the four layers of strategy, processes, systems and human being.
Figure 1: Overview of an Information Security Model for the financial sector
Our research questions
- What are the actual challenges for Managing Information Security - especially in the financial sector?
- How do the requirements look like that can be derived out of the challenges?
- What models and best practices for managing information security do exist?
- Do these model fit all challenges?
- How must an ideal model look like?
- How can the Information Security be measured?
Students
List of available topics for Bachelor and Master theses
Publications
- Messung der Informationssicherheit
in der Praxis - Zusammenfassung der Ergebnisse einer
empirischen Studie (Overview and pdf file)
- Informationssicherheit - Eine Top-Management-Aufgabe, Schweizer Bank, 03/2010(Download)
Topic related links
- Bundesamt für Sicherheit in der Informationstechnik - http://www.bsi.de
- Datalossdb.org - http://datalossdb.org/
- Information Security Report Germanyhttp://www.bsi.de
- Information Security Report Swiss http://www.melani.admin.ch
- Securityforum.org - https://www.securityforum.org
For further information please contact Thierry J. Ruch.