challenging is and ism standardization for business benefits - a business-practitioner’s...
DESCRIPTION
TRANSCRIPT
1
Challenging IS and ISM Standardization for BusinessBenefits - A business-practitioner’s viewpoints
February 17, 2010
Juhani AnttilaAcademician, International Academy for Quality (IAQ)Venture Knowledgist Quality IntegrationHelsinki, [email protected] , www.QualityIntegration.biz
These pages are licensed
under the Creative Commons 3.0 License http://creativecommons.org/licenses/by/3.0
(Mention the origin)
2
Key themes:1. General ISM standardization2. Guiding principles and basic terminology in ISM standards3. System approach in ISM standards4. PDCA model in the standardization5. Business integration in the use of ISM standards6. Business realities and ISM standardization7. Business leaders’ awareness and commitment8. ISM performance and development9. Epilogs
xxxx/2.1.2010/jan
Focus on the ISM standardization of ISO/IEC JTC1 SC 27 (ITsecurity techniques) - ISO/IEC 27000 family of standards
Challenging IS and ISM Standardizationfor Business Benefits
IS = Information securityISM = Information securitymanagement
3
General standardization consists ofinternational (ISO, IEC and ITU), regional,
national and business branch standardization:* Standards are voluntary but may become
obligatory through reference to the standards incontracts, regulations, etc. and in company
internal standardization ** Standards may consider both product
characteristics and managerial, operational ortechnical issues *
* A consensus approach is the core of thestandardization process *
Pros of general standardization:• Broad acceptance and distribution of the texts• Extensive expertise in preparing and commentingthe standards• Wide commitment and recognition• No restrictions for innovative implementation
International information security standardization is a part of the general standardization with its pros and cons
All standardization aims at:• Improved business performance andconfidence, and quality of products(goods and services)• Decreased operational costs• Improved communication between peopleand organizations
Cons of general standardization:• There is uneven and unbalanced groups ofvoluntary people participating thestandardization work.• Management of the standardization is weak.• Only communally interesting issues areaccepted to the final standard texts mainlydue to the consensus principle.• Only trivial means to implement the standardclauses may be considered in the standards.• Handling of the issues in the standard text issuperficial.• Standardization process is very slow.• Standard publications and participating instandardization are expensive.
3759/2.1.2010/jan
4
ISO/IEC JTC1/SC27 Standardization committee”IT security techniques”
3685/9.1.2010/jan
The committee works with generic methods and techniques for information security and itsmanagement. The title of the committee does not reflect the whole area of the work in thecommittee. There are five working groups (WG) in the committee:
All the working areas of thecommittee are practical topics tobe applied in organizations.However, many texts are rathercomplicated or theoretical andnot easily adoptable intoorganizational business cases.Particularly difficult is torecognize the consistency in thecommittee’s standardization.
5
Basic standards for ISM of the family include three standards, ISO/IEC 27000, ISO/IEC 27001,ISO/IEC 27002 that are the most recognized reference documents for professional informationsecurity management world-widely.
These basic standards should be understood as a composite package. However, manyusers take them only as separate documents. Roles of the individual standards and the package entirety are difficult to recognize even bythe experts and the ISO/IEC JTC 1 SC 27 committee members.
In addition to the basic set of standards, there are many other standards in the family, includingISO/IEC 27003, ISO/IEC 27004, ISO/IEC 27005, ISO/IEC 27006:2007, ISO/IEC 27007 and ISO/IEC27011, and numbered drafts now at least until the standard ISO/IEC 27059 and all together ISO/IECJTC1/SC27 has under consideration more than one hundred different subject items.
There are also other international standards not prepared by ISO/IEC JTC 1 SC 27 that areconsidered as parts of this same family of standards, e.g. ISO 27799 for information securitymanagement in health care.
There is a serious need to a family planning for the whole standards structure of the committee inorder to avoid confusion and failures in the use of the standards. The user should clearlyunderstand the whole set of the standards series and the position and role of its individualstandards.
There is a serious need to a family planning for the whole standards structure of the committee
3760/9.1.2010/jan
6
In addition to ISO/IEC 27000 standards, there are lots of other "competing" internationalstandards and de-facto standards considering information security management. E.g. ISO/IEC20000, ITIL, COBIT, Sarbanes-Oxley Act, Basel ll, FISMA, HIPAA, GLBA, NIST, etc. include alsoinformation security aspects.
These references may have many same or similar elements but there is not necessarilyconsistency e.g. in terminology and structure of realization.
ISO/IEC 27000 standards have complicated links with many other management standards issuedby other standardization bodies. Information security management standardization cannot beisolated from these other management standards. Many different management standards are (oreven must be) applied simultaneously in organizations.
ISO/IEC 27000 family of standards follow the same methodology that has been used in thewell-known and much used ISO 9000 standard series for the quality of management.However, the result is very questionable. There should be much closer relationship betweenISO/IEC 27000 and ISO 9000 standardization. Naturally in organizational cases ISO 9000 should be applied in ISO/IEC 27000applications because ISM should be understood as a part of good management, and alsoISO 9000 applications should take into account information security issues. Integrated use of different management standards is under consideration amongstandardization bodies but not yet achived any satisfactory results.
A chaotic standardization situation for business practitioners
3761/9.1.2010/jan
7
There are not any clear guiding information security management (ISM) principles definedparticularly for the ISO/IEC 27000 standardization as e.g. there are quality management principles(QMP) in the case of ISO 9000 standards.
Guiding ISM principles or core ISM values and concepts are the foundation for a decisiveISM realization and standardization. They are beliefs and behaviors of business-integrated ISMfound in high-performing organizations for integrating IS performance and operationalrequirements within a results-oriented business.
ISO/IEC 27001 refers to OECD’s nine complementary principles for information security managementand culture
“The adoption of the PDCA (Plan-Do-Check-Act) model will also reflect the principles as setout in the OECD guidelines governing the security of information systems and networks.” This is referred only in ISO/IEC 27001 and is not valid for the whole ISO/IEC 27000 standardsfamily, and otherwise OECD principles do not cover the whole scope of ISO/IEC 27000standards. Factually the whole referred sentence is absurd because correlation between PDCA modeland OECD principles is at least unclear.
Without a consistent foundation of guiding principles of the ISO/IEC 27000 family have veryobviously developed on the basis of individual, spontaneous and inconsistent initiatives.
What are the basic guiding principles for the foundation of ISO/IEC 27000 standardization?
3762/9.1.2010/jan
8
These principles can be used by senior management as a framework to guide their organizationstowards improved performance. The principles are derived from the collective experience andknowledge of the international experts:
* Principle 1: Customer focus * Principle 2: Leadership * Principle 3: Involvement of people * Principle 4: Process approach * Principle 5: System approach to management * Principle 6: Continual improvement * Principle 7: Factual approach to decision making * Principle 8: Mutually beneficial supplier relationships
3746/12.1.2010/jan
Factually these are principles for a good organizationalmanagement. They are relevant for: all areas an organization’s business management all expert disciplines wihin business management,including information security
ISO 9000 quality management principles, QMP
9
• Definition of information security: “Preservation of confidentiality, integrity and availability ofinformation, and ... other properties can also be involved”
This not any proper definition. It is only an open list of issues. The definition is reactive, notcovering proactive aspects. The definition should be consistent with the concepts of information, knowledge and security. Basic dimensions characterizing information security in its “definition”, integrity, availability andconfidentiality, are very difficult concepts to understand by business people. Even experts havedifferent opinions about these concepts.
• The key concept information security management (ISM) has not been defined at all in the ISMstandards.
• Privacy is a very central and significant concept in the ISM standards. Its role is vague in the standards.
• The definition of information security assurance (ISA) and its relationship with ISM are unclear in thestandards.
• ISO/IEC JTC1/SC27 has also started to consider the governance. This is causing confusion amongstandards users because the relationships among the key managerial concepts are clear:
(Organizational) business management, corporate governance, IT governance (ITG), ISM,information security governance (ISG), and ISA. These are used in many documents. Businesspeople should be able to deal with the concepts consistently and effectively in practice.
• There is no systematic concept analysis in the ISM standards as used e.g. in the standard ISO 9000.
Basic terms and definitions are not considered consistently or logically in the ISO/IEC 27000 standards.
3765/12.1.2010/jan
10
Defining the conceptinformation security management
Information security management: Coordinated activities to direct and control anorganization with regard to information security
Note: Information security management is not management of information securitybut management of an organization. This means an integrated information securitymanagement: Information securuty management is a responsibility of the business
management, and it is taking place through the managing actions of businessleaders.
Experts have assisting roles both in information security management.
3763/3.1.2010/jan
For time being, one of the most central concepts, ”Information security management”,has not been defined at all in the ISO/IEC 27000 standards family.
The definition may be, however, created by the reference to the standardized definitionsof other analogical concepts, e.g. quality management and risk management:
11
”Identifying, understanding and managing interrelated processes as a system contributesto the organization's effectiveness and efficiency in achieving its objectives”
Key benefits:• Integration and alignment of the processes that will best achieve the desired results.• Ability to focus effort on the key processes.• Providing confidence to interested parties as to the consistency, effectiveness andefficiency of the organization.
Applying the principle of system approach to management typically leads to:• Structuring a system to achieve the organization's objectives in the most effective andefficient way.• Understanding the interdependencies between the processes of the system.• Structured approaches that harmonize and integrate processes.• Providing a better understanding of the roles and responsibilities necessary forachieving common objectives and thereby reducing cross-functional barriers.• Understanding organizational capabilities and establishing resource constraints prior toaction.• Targeting and defining how specific activities within a system should operate.• Continually improving the system through measurement and evaluation.
ISO 9000 Quality management principle #5:System approach to management
3728/2.1.2010/jan
This principle is relevant for all areas of organizational management.An organization is managed as one single system.
12
There are two elements in the concept information security management system, ISMS:
1. Management System (of an organization), MS:- System to establish policy and objectives (of an organization) and to achievethose objectives
2. Information security, IS:- A qualifier (attribute) characterizing a management system (MS) characterizing how IS is taken into account in the management system
ISMS = = IS of/in/for MSISMS =/= System for information security
ISMS is a concept for systematic approach, “systematicity”, for IS in an organization’smanagement.
ISMS is principally aimed for organization’s own internal business management needsand purposes.
In fact, the concept ISMS is not at all needed for practical management approaches inorganizations. It has caused a lot of confusions, especially when translated intodifferent languages.
Information security management system (ISMS),a core concept in information security standardization
3764/2.1.2010/jan
13
There are two different but consistent viewpoints to managing information security in anorganization:
A. Information security management (ISM) for organizations’ internal management needsB. Information security assurance (ISA) that aims to create and strenghten confidence
among an organizations’ external stakeholders. ISA is chiefly a communication issue.
ISA is a part of ISM!
ISO/IEC 27000 standards do not make clear linkages between ISA and ISM. For this standardsISO/IEC 27001 and ISO/IEC 27002 have the most essential role. Now their relative positions arenot clear. A natural possibility is to apply the same approach as in ISO 9000 standards serieswith the standards ISO 9001 and ISO 9004: ISO/IEC 27002 is for ISM (Guidance) ISO/IEC 27001 is for ISA (Requirements)
ISO/IEC 27002 should never be understood as a guidance for ISO/IEC 27001 clauses.
Standards should be applied creatively in the both domains of ISM and ISA.
Information security management (ISM) and informationsecurity assurance (ISA) - Difference and consistency
3767/13.1.2010/jan
14
3733/3.1.2010/jan
Management disciplines:- MA, MB, MC:O rganization-internal (business) management (system)- AA/B, AB/C: Assurance between organizations (based on organization-internal management system)
At all organizational levels there should be consistency among these disciplines. Both managementand assurance consist of many different expertises.
Organization C
MC
Organization A
MAOrganization B1
MB1
AB/C
AA/B
Two principal domains, management and assurance,of the organizational management
Aim of the approaches:M Excellence (internal interest)A Confidence (external interest)
Organization B2
MB2
15
Information security management and assurance asconsistent parts in an organization’s management
3653/15.1.2010/jan
ISM = Information securitymanagement (focus on excellenceof a business approach), ISO/IEC27002ISA = Information securityassurance (focus on confidence forconformity in an organization’sproduct provision), ISO/IEC 27001
ISM covers the whole businessmanagement system (BMS).
ISM business system aspects
ISA elements
ISM principles
Tailoring case-by-case
16
3732/20.1.2010/jan
System concept
System (*) is a set of interrelated or interactingelements (processes).- A system is an entity that maintains its existenceand functions as a whole through the interaction ofits parts.- A system has always an aim or purpose definedby the system’s creators or owners. The system isjust created to accomplish its aim.- A system has interactions and transactions withits environment to get input from and to provideoutput for system’s stakeholders. Stakeholdersmay set requirements to the system.- A system is managed as a whole. Management isbased on knowledge and information and PDCAmanagement model (feedback).
An organization is a system.
(*) Ref. ISO 9000 definition
A system(and its elements)
A system’screators andowners
Management
System environment(Stakeholders and system-competitors)
Inputs and outputs throughinteractions and transactions
System management domain System requirements
Internal interest External interest Effectiveness and efficiency Effectiveness (Ref. Russell's paradox)
17
The PDCA (Plan-Do-Check-Act) is a recognizedmultipurpose model for business management.
3119/2.1.2010/jan
The PDCA Model (called also as Deming / Shewhart Cycle) has a long history and a great variety ofdifferent applications, possibilities, and uses in the field of general business management:
– Original PDSA (Plan-Do-Study-Act) model was created by American Walter Shewhart in the1920’s and used for production control.
– The model became popular through American W. Edwards Deming’s lectures of managerialquality during several decades (from 1950’s to 1990’s).
– American Joseph Juran’s Trilogy Model (1964) contains the same elements as the PDCAmodel. He especially emphasized differences between control and breakthrough. His spiralmodel was presented in his well-known Quality Control Handbook (1975).
– In the 1980’s Japanese Kaoru Ishikawa and Masaaki Imai emphasized problem solving andcontinual improvement (“Kaizen”) according to the PDCA model.
– Later Japanese Shoji Shiba has made remarkable work by combining the original PDCA modelwith the ideas of managing knowledge and of Buddhist philosophy.
– In late 1990’s and early 2000’s the SixSigma methodology for large scale businessperformance improvements was developed by Motorola and became popular by its successfulapplication in General Electric. Also SixSigma is based on the PDCA approach.
– The PDCA model has also consistent linkages with traditional systems theory and systemsdynamics.
– To the international standardization the model was used at first in standards ISO 9000:2000 forquality management from where it came e.g. to information security management standards afew years later. However, it is used very superficially in standardization.
18
2343x/15.12.2008/jan
A triple PDCA (*), a model for good management:Coordinated activities to direct and control an organization (**)
ACTING (A):• Preventing actions• Improving actions• Re-engineering• Communicating• Recognizing andrewarding
PLANNING (P):• Business andmanagement models• Business plan• Approaches andmethodology
CHECKING (C):• Assessing theperformance• Reviewing theperformance
DOING (D):• Deploying the approachand achieving the results• Controlling operationalperformance• Corrective actions
A PC D
Applying a triple PDCA model(“The Eyes of Buddha” (***)):1. Rational control (operational)2. Continual rational small step improvement (operational), “Kaizen” approach3. Innovative breakthrough changes (strategic)
(*) Deming / Shewhart, (**) ISO 9000, (***) Shiba; Bodhnath Stupa, Kathmandu
19
3766/12.1.2010/jan
Performance
(5) New performanceplanning
(4) Breakthroughimprovement
Control with the new limit
(2) Performance control
Rectifying sporadicproblems
Feedback
Bad
Time
(Ref. Dr. Juran: Trilogy Approach)
Information security management: Planning, controlling,and improving the performance of business processes
Prevention
(3) Small step improvement”Kaizen”
Control limit(1) Performance
planningA PC D
A PC D
A PC D
Good
20
Integration is the main strategy for a professionalexpertise approach within an organization (system)
Integration means:• Implementing effective and efficient expertise
items embedded within normal businessmanagement activities (especially in businessprocesses)
• Acting against building distinct ”expertisesystems” (i.e. lack of integration). Business-separated expertise initiatives are artificial.
One must understand and take into account thenature of the organizational system, its businessand its realities when implementing expertiseinitiatives of business management. Integration isalways an organization-dedicated solution.
3745/2.1.2010/jan
Expertises may include:–Finance–Quality–Business risks–Information security–Human resources–Information and communications–Knowledge–Occupational health and safety–Environmental protection–Innovation–Ethics–Social responsibility–etc.Cross-application of all expertise areas is needed.
E.g. information security is needed in qualitymanagement and quality in information securitymanagement.
21
Business standards are established throughorgnizations’ internal business structures and processes.A separate management system is artificial.Systematicity means illusion.
Business-integrationof the standards ”systematicity”
3704/7.1.2010/jan
22
Management integration takes place at two levels
• The strategic level, where one makes decisions and undertakes measures concerningthe entire organization (business system of business processes) and considersespecially the future competitiveness of the organization.
• The operational level, where decisions and measures concerning daily managementare made and undertaken. Emphasis is on operational questions of the individualbusiness processes.
These two managerial areas are very different by their purpose and thereforedifferent methodology is needed for them.
3731/23.8.2009/jan
Integration covers all aspects needed for themanagement of an organization.
233737/2.1.2010/jan
Necessary emphases in modern X management?
1. Integration:– Implementing effective / efficient and business-
relevant X principles and methodologyembedded within organization’s normal activitiesof strategic and operational management
2. Responsiveness:– Being able to adjust quickly to suddenly altered
external conditions, and to resume stableoperation without undue delay
3. Innovation:– Striving continuously for new organization-
dedicated innovative and unique solutions andencouraging various choices for X managementin different organizations.
X management X of/in/for management
Standard approach An organization’s uniqueapproach
Dynamic and flexiblebusiness management
24
Integrating specialized domains of managementstandardization and ensuring natural business diversity
3342/20.8..2009/jan (Ref.: ISO Management systems standardization, MSS)
General management
responsibilitiesand business
system
Risks
Finance
Product quality
Occupational health and safety
Security
Environment
Socialresponsibility
Ethics
The Finnish modelfor integration (MSS)
Organizational diversity
Organizationalidentity & privacy
General managementsystem based on PDCA
25
3749/25.1.2010.2009/jan
Valuesand
apprecia-tions
Profound knowledge: Business management sciences and experiences +Expertises in quality, information security, environmental protection, etc.
Business activities:-Operational duties-
-Strategic development-
Vision
Mission
Action plans Infrastructure
Strategies PoliciesManagement+
Management system
Owner,(Business creator)+Purpose
AN ORGANIZATION
From a businessestablishmentto satisfyingrequirements
Promotionand support:
* Standardization* Political impact
* Consultancy* etc.
Stakeholders+ Needs and expectations:
* Performance* Price and cost
Competitors
26
Standardization and users’ business reality
Standardization X: Issue X / Standard element X / Consensus process X
Organization A: Realization elements A: Innovation process A
Practical realization ofthe subject area
3516/27.8.2008/jan
Standardization subject area
Standardization Y: Issue Y / Standard element Y / Consensus process Y
Organization B: Realization elements B: Innovation process B
27
All business results are achieved through managing business processes. Processes adhere to allkinds of daily doings or activities within any organization.
In integrating information security in organizations, it is important to understandinformation security issues in the context of business processes. All business processactivities are very strongly information-intensive, and information flows between theseactivities and between different performers and even between distant operational locations. Information security is affected directly in real time through process arrangements, tools,technical systems, and people in practical work and how these are managed by appropriateand systematic practices. However, truly effective and efficient process management implies a radical change to theestablished management thinking and structures in many organizations. This should betaken into account in information security management realizations, too.
Although the standards explicitly refers to the process approach, however, it is applied in thestandards unsystematically, inexplicitly, and poorly that does not support effectively establishedbusiness practices. E.g. ISO/IEC 27002 says: “The process approach ... presented in the ISMSfamily of standards is based on ... the PDCA process.” This sentence is completely nonsense!
Organizational information security originates in business processes.
3770/12.1.2010/jan
28
3738/2.1.2010/jan
”A desired result is achieved more efficiently when activities and related resources aremanaged as a process.”
Key benefits: * Lower costs and shorter cycle times through effective use of resources. * Improved, consistent and predictable results. * Focused and prioritized improvement opportunities.
Applying the principle of process approach typically leads to: * Systematically defining the activities necessary to obtain a desired result. * Establishing clear responsibility and accountability for managing key activities. * Analysing and measuring of the capability of key activities. * Identifying the interfaces of key activities within and between the functions of the
organization. * Focusing on the factors such as resources, methods, and materials that will improve key
activities of the organization. * Evaluating risks, consequences and impacts of activities on customers, suppliers and
other interested parties.
ISO 9000 Quality management principle #4:Process approach
This principle is relevant for all areas of organizational management.An organization is managed as one single system of processes.
29
Historical notes for the process approach
3122/20.3.2009/jan
• Process approach was used already in ancient plant and construction activities. The conceptis often referred to in cases of natural development.
• Through industrialization processes became an everyday concept in so called processindustry.
• From 1980’s process approach has been used for computers’ internal activities according tostructured analysis and design technique (SADT).
• In a large scale business process approach has been used comprehensively for the benefits ofbusiness management only for less than twenty years, and during that time a lot of practicalmeans have been developed for that purpose.
• Process management thinking got learning from system theory and system dynamics.• To the quality management standards ISO 9000, process concept was introduced in the 1990’s
and just in very recent years the methodology came to the other international managementstandards, e.g. information security management standards.
• BPR (Business Process Reengineering) is a concept for process improvements according tothe ideas of PDCA model. It was particularly promoted by Michael Hammer, James A. Champyand Tom Peters in the 1990’s.
• BPM (Business Process Management) has become during the recent years a popular conceptwithin IT experts in automating business processes according to SOA (Service OrientedArchitecture) principles.
• Today organizations’ all business processes are “complex responsive processes of relating”.
30
What is a (business) process?
3041/20.8.2005/jan
Process means a continuous(*) activity by organized resources for fulfilling organization’sbasic duties:
– Processes put into practice organization’s business / action plan.– Operational every day work is done in processes.– Processes produce outputs (results) to the stakeholders.
There are always processes in all organizations.Structure (e.g. organizational structure) is acontradictory dimension to the processes.The both are needed – in fact they are also alwaysexisting in organizations. They cannot be replaced byeach other. Process is the primary one, The structureshould serve it.
Modern organizational processes are “complex responsive processes of relating”.
The key business management from the quality point of view is: How to managebusiness processes?
Process(acting)
Structure(existing)
(*) A project is a singular or unique process.
31
The process/structure dilemma:Managing for balance
3723x/3.11.2009/jan
Structure-stiffness
Functionality
Process(doing, acting):
Real time ActiveSkilled
EmergentAgile
AdaptiveFlexible
OpenFree Living
Structure (being, existing):Planned, Built, Passive, Past, Prescribed, Stagnant
Structure #1
Structure #2
Balance issues:- Freedom / control- Awareness / instructions- People / systems- Proactive /reactive
32
A comprehensive process management model
0588/28.3.2004/jan
Business performance assessment and review
Process performance assessments (audits)
Inputs• require- ments• needs• requisites
People Otherresources Procedures
Work activity
Preventive action,improvement
Outputdata
Measurement
Process outputs
Analysis
Conformitycheck
Correctiveaction
A PC D
Re-design andre-engineering
Internaldata
A business process
Performance control
Other processes
Businessoutcomes
Otherprocesses
33
New foundations for business infrastructure
1544/2.9.2009/jan
Uncertainty and ambiguity Emergence and self-organizing networks of actors Many heterigeneous global actors in virtual networks All linked with everything else, all linkages not known Customers and other stakeholders differentiating with singular needs Pradoxal freedom of the actors (”both-and” instead of ”either-or”) Signifigance of immaterial issues (information, knowledge, services) Informal learning and serendipity Increased speed of activities and change Signifigance of transaction phenomena Complex responsive processes of relating Simultaneous agility and maturity requirements Immense pressure / stress of business leaders
(Refs.:D Zohar, R D Stacey)
Certainty and predictability
34
Problem and challenge of the information securityprofession to adapt to the needs of modern society
3641/12.1.2010/jan
Time
SpeedChangesAgilityComplexityDiversityImmaterialnessVariety
Businessenvironmentsand society
Problem, ”crisis of informationsecurity management”
Informationsecurityprofession inits entirety
Changed business environments cannot be avoided: “No boundaries – The oldboundaries have been obliterated. Today’s trends increase uncertainty, variety,variability, dynamics in all areas of business management.”
Preferred scenario:- Global adaptation: Evolutiontoward a synergistic society- Breaktrough transformationsneeded in the informationsecurity profession
Marshall McLuhan:” Today each of us liveshundred years in a decade.”
35
Activities within complex responsive processesof relating
High Certainty Low
High
Low
Agr
eem
ent
StandardsGuidanceMonitoring
Politicalcontrol -compromise
Experimenting
Chaos
Anarchy
Innovation
Creativity
Debate
“Zone of Complexity”
Serendipity
Trial & Error
3430/15.1.2008/jan (Ref.: Stacey: http://www.plexusinstitute.org/edgeware/archive/think/main_aides3.htm l)
All kinds of activitiesmay exist in networkingprocesses.
36
Operational procedure documents,standards, operation records, factualknowledge, etc.(explicit contents)
3758/9.1.2010/jan
Reality of the management in theminds of the individuals and in thepractical operations(implicit / tacit contents)
– This part is the most significantregarding to the actions for themanagement realization.
– The contents may change dueto time and situation anddepending on influences andlearning.
Conscious
Sub-conscious
Information security management is based onorganizational information / knowledge
37
Empirical fact-based information and inherentknowledge are needed for successful management
Measuring
Data
Analysing
Information
Reflecting and decidingIntervention
Plan / Act
Effects
0609/25.3.2008/jan
Knowledge- explicit records- tacit knowledge(know-how, competence)
The performance reality of the company business processes
A P
DC
...
Wisdom- myths- values
”Ba”
Environments
Facts
You get whatyou measure
38
Business people are not adequately committedto information security management
3183/22.1.2010/jan
Studies and observations made in small and big companies and governmental offices:
Although:• Most people in our organizations know the fundamentals and basic principles of IS
and recognize their importance, and even may be well-motivated.• There is a lot of general and organization-dedicated IS training and education
programs for increasing awareness and skills of IS.
However:• Senior executives in those organizations:
– Are not really interested in information security in their own managementpractices
– Don’t understand or recognize their managing role for information security– Have only a superficial understanding of information security– Lack the necessary skills for managing an organization with regard to
information security– Senior executives are not familiar with the information security standards– Easily delegate their responsible duties to external consultants or even
outsource the whole issue
39
3186/22.1.2010/jan
• Basic professional IS concepts, e.g. integrity, availability and confidentiality, are difficult,complicated and strange to business people.
• Information security management requires specific knowledge and skills.• Guidance materials for information security management are complicated and confusing,
and difficult to realize and apply consistently:– General standards and guidelines, e.g. ISO/IEC 27000 family of standards and OECD
Guidelines– Information technology and service references that normally consider also information
security aspects, e.g. ISO/IEC 20000, ITIL, COBIT, Sarbanes-Oxley Act, etc.• General management references, e.g. ISO 9000 standards, extensive and multifaceted
general management literature, and management education, e.g. MBA programmes, don’tclarify information security as a management issue and don’t explicitly promote the issue.
• Information security is a multidisciplinary issue and difficult to cope with simple managerialpractices - and particularly in today’s turbulent business environments.
• Communication between business leaders and information security (and other related)experts is ineffective and uncreative in general and within organizations.
• Business leaders are very busy, subjective, authoritative, and holistic generalists.• External third party audits and certifications undermine business leaders’ active
responsibility.• Business information is principally based on tacit (implicit) knowledge, and management of
the security of tacit knowledge is a sophisticated issue.
Why business leaders are poorly commitment to information security management?
40
Consequences when senior executives don’t committo information security management
3187/22.1.2010/jan
• Information security is not being managed business-minded and not aligned with realbusiness needs.
• Information security is seen only as a reactive and negative question to fulfil somestandardized requirements.
• Organizations keep busy with separate and restricted information security questions
• Information security standards are not understood from the managerial responsibility
• Organizations take only “cosmetic” or superficial actions for information securitymanagement.
• Business leaders delegate their management responsibilities to experts or outsourcethe whole issue to external consulting organizations.
• Organizations keep silent on their problems or incompetence in information security– and suffer consequences, or hope that nothing serious will happen.
41
Information security management performanceis not any ON / OFF issue!
3757/3.1.2010/jan
YES
NONO YES
(1)
(0)
Specific actions (measures or tricks)
Informationsecurityperformance
42
An organization’s business performance (from earlystage to maturity) – Information security integration
0 3010 6040 70 90 100%
0 = good-for- nothing
1 = perfect
Assessed overall business performance
Anecdotal
Competitive-ness
Beginnings
Excellence
Leadership
2460/2.1.2010/jan
Effectiveness
Need of change?How to get the change happen?
Organizations with a third party certificate (*)
(*) Third party certifications do not define any particular level of performance.Organizations cannot differ from the others on the basis of third party certificates
Gra
de o
f bus
ines
s pe
rfor
man
ce
All business performances (including information security) are fuzzy issues:
43
There are significant inadequacies, inconsistencies and other problems in the generalinternational standardization and standards mainly due to the normal standardizationprocesses.
Individual organizations applying the general standards should highlight their ownresponsibility of business leaders and experts in order to achieve the benefits.
A continuously increasing awareness and knowledge, innovations, and couragewould have required to create and implement useful and organization-dedicatedsolutions when applying the standards in real business environments. There should also be an effective cooperation of business leaders andinformation security experts. A proactive standards recognition may be promoted by active participation instandards preparation and commenting.
Epilog 1: Situation and challenge
3772/12.1.2010/jan
44
Theses of the new approach for applying informationsecurity management standards
Striving for a competitive information security integration by:• Recognizing performance excellence instead of a narrow information security conformity
thinking• Striving for a systematic approach (“systematicity”) of the information security in management
instead of formal and distinct information security management systems• Using business-related information security management principles and actions instead of
fulfilling formal and general information security assurance requirements only• Aiming at innovative and unique solutions instead of stereotyped systems• Relying on internal business performance self-assessments and advanced information security
assurance communication instead of third party audits and certifications of “artificial”information security management systems
• Getting advantage of tacit knowledge instead of only records of explicit data and information• Networking with partners and recognized world-wide communities of multifarious expertise• Supporting various ways of collaborative learning instead of narrow-minded and reactive
control only• Reinforcing and using company’s own internal awareness and expertise instead of passive use
of external consultants
3768/12.1.2010/jan
45
Epilog 2: Keep your organization’s identity inapplying general information security standards
There will be also in future standards-experts who don’t understand ordon’t want to understand business realities of real organizations.
Consensus process of standardization has a detrimental influence onthe clarity and ambiguity of general standards: “Stupidity
condenses in the masses - The mob has many heads but no brains”
However, standards must not hinder creative applications of thestandards by responsible organizations.
3769/12.1.2010/jan
46
Juhani Anttila, Independent ExpertIndependent expert, Venture Knowledgist
• Expertise of more than 40 years in the field of quality and 20 years of informationsecurity
• 35 years at different quality related positions at Telecom Finland and Sonera Corporation• Several decades’ involvement with international and national standardization of quality,
reliability, information security and telecommunications• Many years Assembly Representative and Vice President of the European Organization
for Quality (EOQ)• A founder and developer of the Finnish National Quality Award, Developer and assessor
of the European Quality Award• International Academician for Quality (Member of the International Academy for Quality)• Honorary Member of the Finnish Society for Quality, Honorary Fellow Member of Quality
and Productivity Society of Pakistan• Board member or chairman in some companies• Expert adviser in several organizations in quality management, dependability
management, information security management, crisis management and social media,and lecturer in some universities
• Expert in projects in some developing countries• Contributing by writings, lectures, and speeches globally on five continents
3678x/3.5.2009/jan (Ref.: http://www.qualityintegration.biz/contacts.html )