Principles of Information
System Security: Text and
Cases
Gurpreet Dhillon
PowerPoint Prepared by Youlong Zhuang
University of Missouri-Columbia
Principles of Information
System Security: Text and
Cases
Chapter Six
Security of Formal Systems in
Organizations: An Introduction
Learning Objectives





Identify the key aspects of formal
information system security
Explain structures of responsibility
Understand organizational buy-in
Explain the importance of security
policies
Recommend issues in good security
policy formulation
Copyright 2006 John Wiley & Sons, Inc.
6-3
Formal IS Security





Creating organizational structures and
processes to ensure security and integrity
Creating and sustaining proper responsibility
structures
Maintaining integrity of the roles
Creating adequate business processes
Establishing an overarching strategy and
policy
Copyright 2006 John Wiley & Sons, Inc.
6-4
Ten Deadly Sins of IS Security
Management, Table 6.1
Deadly sins of information system security
1. Not realizing that information security is a corporate governance responsibility (the buck stops
right at the top)
2. Not realizing that information security is a business issue and not a technical issue
3. Not realizing the fact that information security governance is a multi-dimensional discipline
(information security governance is a complex issue, and there is no silver bullet or single ‘off the
shelf’ solution)
4. Not realizing that an information security plan must be based on identified risks
5. Not realizing (and leveraging) the important role of international best practices for information
security management
6. Not realizing that a corporate information security policy is absolutely essential
7. Not realizing that information security compliance enforcement and monitoring is absolutely
essential
8. Not realizing that a proper information security governance structure (organization) is absolutely
essential
9. Not realizing the core importance of information security awareness amongst users
10. Not empowering information security managers with the infrastructure, tools and supporting
mechanisms to properly perform their responsibilities
Copyright 2006 John Wiley & Sons, Inc.
6-5
Four Classes of Formal IS
Security




Security strategy and policy
Responsibility and authority structures
Business processes
Roles and skills
Copyright 2006 John Wiley & Sons, Inc.
6-6
Formal IS Security Dimensions



Responsibility and authority structures
Organizational buy-in
Security policy
Copyright 2006 John Wiley & Sons, Inc.
6-7
Responsibility and Authority
Structures




Determine the performance of the formal
controls systems
Provide a means to understand the manner in
which responsible agents are identified
Understand the underlying patterns of
behavior
Manifest the roles and reporting structures of
organizational members
Copyright 2006 John Wiley & Sons, Inc.
6-8
Mapping Structures of
Responsibility



Identify the agents who determine what
takes place, and what behavior is realized
Agents are associated with communication
acts which serve to change the social world,
which in turn constitutes the world of
interrelated obligations
An ontology chart represents the invariants in
any domain as patterns of behavior to be
realized by agents acting therein
Copyright 2006 John Wiley & Sons, Inc.
6-9
A Simple Representation of Structures
of Responsibility Figure 6.1
Printer
Network
Data
Source
Access
supplies
Data
Access
stores
Access
Storage
Device
sited
PC
Room
Position
.
Role #
Administ rat or
Organisation #
incumbency
Access
Person
Figure 1, A simple semantic schema for a secure environment
Copyright 2006 John Wiley & Sons, Inc.
6-10
Mapping Structures of
Responsibility (Cont’d)




Invariants on the right of the chart can only
be realized when those on their left have
been realized
Each invariant pattern is shown as a node in
the chart
The analysis task is to elicit for each node the
responsible agents and the norms used by
the organization
The chart is a useful platform to study the
norms and structure of an organization
Copyright 2006 John Wiley & Sons, Inc.
6-11
Mapping Structures of
Responsibility (Cont’d)


Sketches the generic affordances that
constrain any agent in this domain
Implicitly creates a place for the agents at
each node who decide




Who has access to a PC
Which PCs have access to what data
Which PCs are sited in which rooms
Agents make decisions in line with prevailing
norms, which should reflect the practices
espoused by the firm; and the practices
conform to various over arching jurisdictions
Copyright 2006 John Wiley & Sons, Inc.
6-12
Using Structures of
Responsibility Maps

Compare responsible structure against the
explicit security management structure of an
enterprise



Between the formal and the informal systems
Lead to the substantive actions required of
members of the firm
It can be difficult to attribute responsibility if
the norms are not strong
Copyright 2006 John Wiley & Sons, Inc.
6-13
Using Structures of
Responsibility Maps (Cont’d)

Two security procedures are revealed
when a person is given access to a PC
which has access to the network



The ‘start’ and ‘finish’ of an incumbency
The ‘start’ and ‘finish’ of access to a PC
Understand the underlying repertoires
of behavior
Copyright 2006 John Wiley & Sons, Inc.
6-14
Organizational Buy-in



Support from an organization’s
executive leadership is the most
challenging task
It is also a challenge to educate
employees
A two-fold need for executive leadership
buy-in


Assures staff buy-in
Ensures funding
Copyright 2006 John Wiley & Sons, Inc.
6-15
Organizational Buy-in (Cont’d)

Support from the IT Department is
also essential


Consensus needs to be reached
regarding the best practices to
protect enterprise information assets
User support is another important
ingredient
Copyright 2006 John Wiley & Sons, Inc.
6-16
NIST’s Seven Steps for
Effective Security Training

Identify Program Scope, Goals, and
Objectives



To all types of people who interact with IT
systems
Organizational wide program needs to be
supplemented by more system-specific
programs
Identify Training Staff

Knowledge and communication skills
Copyright 2006 John Wiley & Sons, Inc.
6-17
NIST’s Seven Steps for Effective
Security Training (Cont’d)

Identify Target Audiences


Motivate Management and Employees


Presents only the information needed by the
particular audience
Show how participation will benefit the
organization
Administer the Program

Visibility, selection of appropriate training
methods, topics, materials, and presentation
techniques
Copyright 2006 John Wiley & Sons, Inc.
6-18
NIST’s Seven Steps for Effective
Security Training (Cont’d)

Maintain the Program


A training program that meets an
organization’s needs today may become
ineffective when the organization starts to use
a new application or changes its environment
Evaluate the Program

How much information is retained, to what
extent security procedures are being followed,
and general attitudes toward security
Copyright 2006 John Wiley & Sons, Inc.
6-19
Security Policy



Numerous security problems have been
attributed to the lack of a security
policy
Possible vulnerabilities related to
security policies occurs at three levelspolicy development, implementation,
and reinterpretation
More details in Chapter Seven
Copyright 2006 John Wiley & Sons, Inc.
6-20
Good Security Policy
Formulation



An organization incorporates the strategic
direction of the company both at a micro and
macro levels
Clarification of the strategic agenda sets the
stage for developing the security model
The security policies determine the processes
and techniques required to provide the
security but not the technology
Copyright 2006 John Wiley & Sons, Inc.
6-21
Good Security Policy
Formulation (Cont’d)




The implementation of security policies
entails the development of procedures to
implement the techniques defined in the
security policies
Security processes and techniques should be
monitored constantly
A response policy is an integral part of a good
security policy
Establish procedures and practices for
educating all stakeholders
Copyright 2006 John Wiley & Sons, Inc.
6-22
Layers in Designing Formal IS
Security, Figure 6.2
Plan Responses
Evaluate and Monitor Procedures Implemented
Define Implementation of Techniques
Develop a Security Policy
Clarifying the Security Model
I M P L E ME N T A T I O N
Increase Awareness and Educate
Setting the Strategic Direction
Copyright 2006 John Wiley & Sons, Inc.
6-23
Concluding Remarks

Good formal IS security is a function of



Organizational considerations related to the
structures of responsibility
Ensuring organizational buy in
Establishing security plans and policies and
relating them to the organizational vision
Copyright 2006 John Wiley & Sons, Inc.
6-24
Copyright 2006 John Wiley &
Sons, Inc.
All rights reserved. Reproduction or translation of this
work beyond that permitted in section 117 of the
1976 United States Copyright Act without express
permission of the copyright owner is unlawful.
Request for further information should be addressed
to the Permission Department, John Wiley & Sons,
Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or
resale. The Publisher assumes no responsibility for
errors, omissions, or damages caused by the use of
these programs or from the use of the information
herein.
Copyright 2006 John Wiley & Sons, Inc.
6-25