1

Challenging IS and ISM Standardization for BusinessBenefits - A business-practitioner’s viewpoints

February 17, 2010

Juhani AnttilaAcademician, International Academy for Quality (IAQ)Venture Knowledgist Quality IntegrationHelsinki, Finlandjuhani.anttila@telecon.fi , www.QualityIntegration.biz

These pages are licensed

under the Creative Commons 3.0 License http://creativecommons.org/licenses/by/3.0

(Mention the origin)

2

Key themes:1. General ISM standardization2. Guiding principles and basic terminology in ISM standards3. System approach in ISM standards4. PDCA model in the standardization5. Business integration in the use of ISM standards6. Business realities and ISM standardization7. Business leaders’ awareness and commitment8. ISM performance and development9. Epilogs

xxxx/2.1.2010/jan

Focus on the ISM standardization of ISO/IEC JTC1 SC 27 (ITsecurity techniques) - ISO/IEC 27000 family of standards

Challenging IS and ISM Standardizationfor Business Benefits

IS = Information securityISM = Information securitymanagement

3

General standardization consists ofinternational (ISO, IEC and ITU), regional,

national and business branch standardization:* Standards are voluntary but may become

obligatory through reference to the standards incontracts, regulations, etc. and in company

internal standardization ** Standards may consider both product

characteristics and managerial, operational ortechnical issues *

* A consensus approach is the core of thestandardization process *

Pros of general standardization:• Broad acceptance and distribution of the texts• Extensive expertise in preparing and commentingthe standards• Wide commitment and recognition• No restrictions for innovative implementation

International information security standardization is a part of the general standardization with its pros and cons

All standardization aims at:• Improved business performance andconfidence, and quality of products(goods and services)• Decreased operational costs• Improved communication between peopleand organizations

Cons of general standardization:• There is uneven and unbalanced groups ofvoluntary people participating thestandardization work.• Management of the standardization is weak.• Only communally interesting issues areaccepted to the final standard texts mainlydue to the consensus principle.• Only trivial means to implement the standardclauses may be considered in the standards.• Handling of the issues in the standard text issuperficial.• Standardization process is very slow.• Standard publications and participating instandardization are expensive.

3759/2.1.2010/jan

4

ISO/IEC JTC1/SC27 Standardization committee”IT security techniques”

3685/9.1.2010/jan

The committee works with generic methods and techniques for information security and itsmanagement. The title of the committee does not reflect the whole area of the work in thecommittee. There are five working groups (WG) in the committee:

All the working areas of thecommittee are practical topics tobe applied in organizations.However, many texts are rathercomplicated or theoretical andnot easily adoptable intoorganizational business cases.Particularly difficult is torecognize the consistency in thecommittee’s standardization.

5

Basic standards for ISM of the family include three standards, ISO/IEC 27000, ISO/IEC 27001,ISO/IEC 27002 that are the most recognized reference documents for professional informationsecurity management world-widely.

These basic standards should be understood as a composite package. However, manyusers take them only as separate documents. Roles of the individual standards and the package entirety are difficult to recognize even bythe experts and the ISO/IEC JTC 1 SC 27 committee members.

In addition to the basic set of standards, there are many other standards in the family, includingISO/IEC 27003, ISO/IEC 27004, ISO/IEC 27005, ISO/IEC 27006:2007, ISO/IEC 27007 and ISO/IEC27011, and numbered drafts now at least until the standard ISO/IEC 27059 and all together ISO/IECJTC1/SC27 has under consideration more than one hundred different subject items.

There are also other international standards not prepared by ISO/IEC JTC 1 SC 27 that areconsidered as parts of this same family of standards, e.g. ISO 27799 for information securitymanagement in health care.

There is a serious need to a family planning for the whole standards structure of the committee inorder to avoid confusion and failures in the use of the standards. The user should clearlyunderstand the whole set of the standards series and the position and role of its individualstandards.

There is a serious need to a family planning for the whole standards structure of the committee

3760/9.1.2010/jan

6

In addition to ISO/IEC 27000 standards, there are lots of other "competing" internationalstandards and de-facto standards considering information security management. E.g. ISO/IEC20000, ITIL, COBIT, Sarbanes-Oxley Act, Basel ll, FISMA, HIPAA, GLBA, NIST, etc. include alsoinformation security aspects.

These references may have many same or similar elements but there is not necessarilyconsistency e.g. in terminology and structure of realization.

ISO/IEC 27000 standards have complicated links with many other management standards issuedby other standardization bodies. Information security management standardization cannot beisolated from these other management standards. Many different management standards are (oreven must be) applied simultaneously in organizations.

ISO/IEC 27000 family of standards follow the same methodology that has been used in thewell-known and much used ISO 9000 standard series for the quality of management.However, the result is very questionable. There should be much closer relationship betweenISO/IEC 27000 and ISO 9000 standardization. Naturally in organizational cases ISO 9000 should be applied in ISO/IEC 27000applications because ISM should be understood as a part of good management, and alsoISO 9000 applications should take into account information security issues. Integrated use of different management standards is under consideration amongstandardization bodies but not yet achived any satisfactory results.

A chaotic standardization situation for business practitioners

3761/9.1.2010/jan

7

There are not any clear guiding information security management (ISM) principles definedparticularly for the ISO/IEC 27000 standardization as e.g. there are quality management principles(QMP) in the case of ISO 9000 standards.

Guiding ISM principles or core ISM values and concepts are the foundation for a decisiveISM realization and standardization. They are beliefs and behaviors of business-integrated ISMfound in high-performing organizations for integrating IS performance and operationalrequirements within a results-oriented business.

ISO/IEC 27001 refers to OECD’s nine complementary principles for information security managementand culture

“The adoption of the PDCA (Plan-Do-Check-Act) model will also reflect the principles as setout in the OECD guidelines governing the security of information systems and networks.” This is referred only in ISO/IEC 27001 and is not valid for the whole ISO/IEC 27000 standardsfamily, and otherwise OECD principles do not cover the whole scope of ISO/IEC 27000standards. Factually the whole referred sentence is absurd because correlation between PDCA modeland OECD principles is at least unclear.

Without a consistent foundation of guiding principles of the ISO/IEC 27000 family have veryobviously developed on the basis of individual, spontaneous and inconsistent initiatives.

What are the basic guiding principles for the foundation of ISO/IEC 27000 standardization?

3762/9.1.2010/jan

8

These principles can be used by senior management as a framework to guide their organizationstowards improved performance. The principles are derived from the collective experience andknowledge of the international experts:

* Principle 1: Customer focus * Principle 2: Leadership * Principle 3: Involvement of people * Principle 4: Process approach * Principle 5: System approach to management * Principle 6: Continual improvement * Principle 7: Factual approach to decision making * Principle 8: Mutually beneficial supplier relationships

3746/12.1.2010/jan

Factually these are principles for a good organizationalmanagement. They are relevant for: all areas an organization’s business management all expert disciplines wihin business management,including information security

ISO 9000 quality management principles, QMP

9

• Definition of information security: “Preservation of confidentiality, integrity and availability ofinformation, and ... other properties can also be involved”

This not any proper definition. It is only an open list of issues. The definition is reactive, notcovering proactive aspects. The definition should be consistent with the concepts of information, knowledge and security. Basic dimensions characterizing information security in its “definition”, integrity, availability andconfidentiality, are very difficult concepts to understand by business people. Even experts havedifferent opinions about these concepts.

• The key concept information security management (ISM) has not been defined at all in the ISMstandards.

• Privacy is a very central and significant concept in the ISM standards. Its role is vague in the standards.

• The definition of information security assurance (ISA) and its relationship with ISM are unclear in thestandards.

• ISO/IEC JTC1/SC27 has also started to consider the governance. This is causing confusion amongstandards users because the relationships among the key managerial concepts are clear:

(Organizational) business management, corporate governance, IT governance (ITG), ISM,information security governance (ISG), and ISA. These are used in many documents. Businesspeople should be able to deal with the concepts consistently and effectively in practice.

• There is no systematic concept analysis in the ISM standards as used e.g. in the standard ISO 9000.

Basic terms and definitions are not considered consistently or logically in the ISO/IEC 27000 standards.

3765/12.1.2010/jan

10

Defining the conceptinformation security management

Information security management: Coordinated activities to direct and control anorganization with regard to information security

Note: Information security management is not management of information securitybut management of an organization. This means an integrated information securitymanagement: Information securuty management is a responsibility of the business

management, and it is taking place through the managing actions of businessleaders.

Experts have assisting roles both in information security management.

3763/3.1.2010/jan

For time being, one of the most central concepts, ”Information security management”,has not been defined at all in the ISO/IEC 27000 standards family.

The definition may be, however, created by the reference to the standardized definitionsof other analogical concepts, e.g. quality management and risk management:

11

”Identifying, understanding and managing interrelated processes as a system contributesto the organization's effectiveness and efficiency in achieving its objectives”

Key benefits:• Integration and alignment of the processes that will best achieve the desired results.• Ability to focus effort on the key processes.• Providing confidence to interested parties as to the consistency, effectiveness andefficiency of the organization.

Applying the principle of system approach to management typically leads to:• Structuring a system to achieve the organization's objectives in the most effective andefficient way.• Understanding the interdependencies between the processes of the system.• Structured approaches that harmonize and integrate processes.• Providing a better understanding of the roles and responsibilities necessary forachieving common objectives and thereby reducing cross-functional barriers.• Understanding organizational capabilities and establishing resource constraints prior toaction.• Targeting and defining how specific activities within a system should operate.• Continually improving the system through measurement and evaluation.

ISO 9000 Quality management principle #5:System approach to management

3728/2.1.2010/jan

This principle is relevant for all areas of organizational management.An organization is managed as one single system.

12

There are two elements in the concept information security management system, ISMS:

1. Management System (of an organization), MS:- System to establish policy and objectives (of an organization) and to achievethose objectives

2. Information security, IS:- A qualifier (attribute) characterizing a management system (MS) characterizing how IS is taken into account in the management system

ISMS = = IS of/in/for MSISMS =/= System for information security

ISMS is a concept for systematic approach, “systematicity”, for IS in an organization’smanagement.

ISMS is principally aimed for organization’s own internal business management needsand purposes.

In fact, the concept ISMS is not at all needed for practical management approaches inorganizations. It has caused a lot of confusions, especially when translated intodifferent languages.

Information security management system (ISMS),a core concept in information security standardization

3764/2.1.2010/jan

13

There are two different but consistent viewpoints to managing information security in anorganization:

A. Information security management (ISM) for organizations’ internal management needsB. Information security assurance (ISA) that aims to create and strenghten confidence

among an organizations’ external stakeholders. ISA is chiefly a communication issue.

ISA is a part of ISM!

ISO/IEC 27000 standards do not make clear linkages between ISA and ISM. For this standardsISO/IEC 27001 and ISO/IEC 27002 have the most essential role. Now their relative positions arenot clear. A natural possibility is to apply the same approach as in ISO 9000 standards serieswith the standards ISO 9001 and ISO 9004: ISO/IEC 27002 is for ISM (Guidance) ISO/IEC 27001 is for ISA (Requirements)

ISO/IEC 27002 should never be understood as a guidance for ISO/IEC 27001 clauses.

Standards should be applied creatively in the both domains of ISM and ISA.

Information security management (ISM) and informationsecurity assurance (ISA) - Difference and consistency

3767/13.1.2010/jan

14

3733/3.1.2010/jan

Management disciplines:- MA, MB, MC:O rganization-internal (business) management (system)- AA/B, AB/C: Assurance between organizations (based on organization-internal management system)

At all organizational levels there should be consistency among these disciplines. Both managementand assurance consist of many different expertises.

Organization C

MC

Organization A

MAOrganization B1

MB1

AB/C

AA/B

Two principal domains, management and assurance,of the organizational management

Aim of the approaches:M Excellence (internal interest)A Confidence (external interest)

Organization B2

MB2

15

Information security management and assurance asconsistent parts in an organization’s management

3653/15.1.2010/jan

ISM = Information securitymanagement (focus on excellenceof a business approach), ISO/IEC27002ISA = Information securityassurance (focus on confidence forconformity in an organization’sproduct provision), ISO/IEC 27001

ISM covers the whole businessmanagement system (BMS).

ISM business system aspects

ISA elements

ISM principles

Tailoring case-by-case

16

3732/20.1.2010/jan

System concept

System (*) is a set of interrelated or interactingelements (processes).- A system is an entity that maintains its existenceand functions as a whole through the interaction ofits parts.- A system has always an aim or purpose definedby the system’s creators or owners. The system isjust created to accomplish its aim.- A system has interactions and transactions withits environment to get input from and to provideoutput for system’s stakeholders. Stakeholdersmay set requirements to the system.- A system is managed as a whole. Management isbased on knowledge and information and PDCAmanagement model (feedback).

An organization is a system.

(*) Ref. ISO 9000 definition

A system(and its elements)

A system’screators andowners

Management

System environment(Stakeholders and system-competitors)

Inputs and outputs throughinteractions and transactions

System management domain System requirements

Internal interest External interest Effectiveness and efficiency Effectiveness (Ref. Russell's paradox)

17

The PDCA (Plan-Do-Check-Act) is a recognizedmultipurpose model for business management.

3119/2.1.2010/jan

The PDCA Model (called also as Deming / Shewhart Cycle) has a long history and a great variety ofdifferent applications, possibilities, and uses in the field of general business management:

– Original PDSA (Plan-Do-Study-Act) model was created by American Walter Shewhart in the1920’s and used for production control.

– The model became popular through American W. Edwards Deming’s lectures of managerialquality during several decades (from 1950’s to 1990’s).

– American Joseph Juran’s Trilogy Model (1964) contains the same elements as the PDCAmodel. He especially emphasized differences between control and breakthrough. His spiralmodel was presented in his well-known Quality Control Handbook (1975).

– In the 1980’s Japanese Kaoru Ishikawa and Masaaki Imai emphasized problem solving andcontinual improvement (“Kaizen”) according to the PDCA model.

– Later Japanese Shoji Shiba has made remarkable work by combining the original PDCA modelwith the ideas of managing knowledge and of Buddhist philosophy.

– In late 1990’s and early 2000’s the SixSigma methodology for large scale businessperformance improvements was developed by Motorola and became popular by its successfulapplication in General Electric. Also SixSigma is based on the PDCA approach.

– The PDCA model has also consistent linkages with traditional systems theory and systemsdynamics.

– To the international standardization the model was used at first in standards ISO 9000:2000 forquality management from where it came e.g. to information security management standards afew years later. However, it is used very superficially in standardization.

18

2343x/15.12.2008/jan

A triple PDCA (*), a model for good management:Coordinated activities to direct and control an organization (**)

ACTING (A):• Preventing actions• Improving actions• Re-engineering• Communicating• Recognizing andrewarding

PLANNING (P):• Business andmanagement models• Business plan• Approaches andmethodology

CHECKING (C):• Assessing theperformance• Reviewing theperformance

DOING (D):• Deploying the approachand achieving the results• Controlling operationalperformance• Corrective actions

A PC D

Applying a triple PDCA model(“The Eyes of Buddha” (***)):1. Rational control (operational)2. Continual rational small step improvement (operational), “Kaizen” approach3. Innovative breakthrough changes (strategic)

(*) Deming / Shewhart, (**) ISO 9000, (***) Shiba; Bodhnath Stupa, Kathmandu

19

3766/12.1.2010/jan

Performance

(5) New performanceplanning

(4) Breakthroughimprovement

Control with the new limit

(2) Performance control

Rectifying sporadicproblems

Feedback

Bad

Time

(Ref. Dr. Juran: Trilogy Approach)

Information security management: Planning, controlling,and improving the performance of business processes

Prevention

(3) Small step improvement”Kaizen”

Control limit(1) Performance

planningA PC D

A PC D

A PC D

Good

20

Integration is the main strategy for a professionalexpertise approach within an organization (system)

Integration means:• Implementing effective and efficient expertise

items embedded within normal businessmanagement activities (especially in businessprocesses)

• Acting against building distinct ”expertisesystems” (i.e. lack of integration). Business-separated expertise initiatives are artificial.

One must understand and take into account thenature of the organizational system, its businessand its realities when implementing expertiseinitiatives of business management. Integration isalways an organization-dedicated solution.

3745/2.1.2010/jan

Expertises may include:–Finance–Quality–Business risks–Information security–Human resources–Information and communications–Knowledge–Occupational health and safety–Environmental protection–Innovation–Ethics–Social responsibility–etc.Cross-application of all expertise areas is needed.

E.g. information security is needed in qualitymanagement and quality in information securitymanagement.

21

Business standards are established throughorgnizations’ internal business structures and processes.A separate management system is artificial.Systematicity means illusion.

Business-integrationof the standards ”systematicity”

3704/7.1.2010/jan

22

Management integration takes place at two levels

• The strategic level, where one makes decisions and undertakes measures concerningthe entire organization (business system of business processes) and considersespecially the future competitiveness of the organization.

• The operational level, where decisions and measures concerning daily managementare made and undertaken. Emphasis is on operational questions of the individualbusiness processes.

These two managerial areas are very different by their purpose and thereforedifferent methodology is needed for them.

3731/23.8.2009/jan

Integration covers all aspects needed for themanagement of an organization.

233737/2.1.2010/jan

Necessary emphases in modern X management?

1. Integration:– Implementing effective / efficient and business-

relevant X principles and methodologyembedded within organization’s normal activitiesof strategic and operational management

2. Responsiveness:– Being able to adjust quickly to suddenly altered

external conditions, and to resume stableoperation without undue delay

3. Innovation:– Striving continuously for new organization-

dedicated innovative and unique solutions andencouraging various choices for X managementin different organizations.

X management X of/in/for management

Standard approach An organization’s uniqueapproach

Dynamic and flexiblebusiness management

24

Integrating specialized domains of managementstandardization and ensuring natural business diversity

3342/20.8..2009/jan (Ref.: ISO Management systems standardization, MSS)

General management

responsibilitiesand business

system

Risks

Finance

Product quality

Occupational health and safety

Security

Environment

Socialresponsibility

Ethics

The Finnish modelfor integration (MSS)

Organizational diversity

Organizationalidentity & privacy

General managementsystem based on PDCA

25

3749/25.1.2010.2009/jan

Valuesand

apprecia-tions

Profound knowledge: Business management sciences and experiences +Expertises in quality, information security, environmental protection, etc.

Business activities:-Operational duties-

-Strategic development-

Vision

Mission

Action plans Infrastructure

Strategies PoliciesManagement+

Management system

Owner,(Business creator)+Purpose

AN ORGANIZATION

From a businessestablishmentto satisfyingrequirements

Promotionand support:

* Standardization* Political impact

* Consultancy* etc.

Stakeholders+ Needs and expectations:

* Performance* Price and cost

Competitors

26

Standardization and users’ business reality

Standardization X: Issue X / Standard element X / Consensus process X

Organization A: Realization elements A: Innovation process A

Practical realization ofthe subject area

3516/27.8.2008/jan

Standardization subject area

Standardization Y: Issue Y / Standard element Y / Consensus process Y

Organization B: Realization elements B: Innovation process B

27

All business results are achieved through managing business processes. Processes adhere to allkinds of daily doings or activities within any organization.

In integrating information security in organizations, it is important to understandinformation security issues in the context of business processes. All business processactivities are very strongly information-intensive, and information flows between theseactivities and between different performers and even between distant operational locations. Information security is affected directly in real time through process arrangements, tools,technical systems, and people in practical work and how these are managed by appropriateand systematic practices. However, truly effective and efficient process management implies a radical change to theestablished management thinking and structures in many organizations. This should betaken into account in information security management realizations, too.

Although the standards explicitly refers to the process approach, however, it is applied in thestandards unsystematically, inexplicitly, and poorly that does not support effectively establishedbusiness practices. E.g. ISO/IEC 27002 says: “The process approach ... presented in the ISMSfamily of standards is based on ... the PDCA process.” This sentence is completely nonsense!

Organizational information security originates in business processes.

3770/12.1.2010/jan

28

3738/2.1.2010/jan

”A desired result is achieved more efficiently when activities and related resources aremanaged as a process.”

Key benefits: * Lower costs and shorter cycle times through effective use of resources. * Improved, consistent and predictable results. * Focused and prioritized improvement opportunities.

Applying the principle of process approach typically leads to: * Systematically defining the activities necessary to obtain a desired result. * Establishing clear responsibility and accountability for managing key activities. * Analysing and measuring of the capability of key activities. * Identifying the interfaces of key activities within and between the functions of the

organization. * Focusing on the factors such as resources, methods, and materials that will improve key

activities of the organization. * Evaluating risks, consequences and impacts of activities on customers, suppliers and

other interested parties.

ISO 9000 Quality management principle #4:Process approach

This principle is relevant for all areas of organizational management.An organization is managed as one single system of processes.

29

Historical notes for the process approach

3122/20.3.2009/jan

• Process approach was used already in ancient plant and construction activities. The conceptis often referred to in cases of natural development.

• Through industrialization processes became an everyday concept in so called processindustry.

• From 1980’s process approach has been used for computers’ internal activities according tostructured analysis and design technique (SADT).

• In a large scale business process approach has been used comprehensively for the benefits ofbusiness management only for less than twenty years, and during that time a lot of practicalmeans have been developed for that purpose.

• Process management thinking got learning from system theory and system dynamics.• To the quality management standards ISO 9000, process concept was introduced in the 1990’s

and just in very recent years the methodology came to the other international managementstandards, e.g. information security management standards.

• BPR (Business Process Reengineering) is a concept for process improvements according tothe ideas of PDCA model. It was particularly promoted by Michael Hammer, James A. Champyand Tom Peters in the 1990’s.

• BPM (Business Process Management) has become during the recent years a popular conceptwithin IT experts in automating business processes according to SOA (Service OrientedArchitecture) principles.

• Today organizations’ all business processes are “complex responsive processes of relating”.

30

What is a (business) process?

3041/20.8.2005/jan

Process means a continuous(*) activity by organized resources for fulfilling organization’sbasic duties:

– Processes put into practice organization’s business / action plan.– Operational every day work is done in processes.– Processes produce outputs (results) to the stakeholders.

There are always processes in all organizations.Structure (e.g. organizational structure) is acontradictory dimension to the processes.The both are needed – in fact they are also alwaysexisting in organizations. They cannot be replaced byeach other. Process is the primary one, The structureshould serve it.

Modern organizational processes are “complex responsive processes of relating”.

The key business management from the quality point of view is: How to managebusiness processes?

Process(acting)

Structure(existing)

(*) A project is a singular or unique process.

31

The process/structure dilemma:Managing for balance

3723x/3.11.2009/jan

Structure-stiffness

Functionality

Process(doing, acting):

Real time ActiveSkilled

EmergentAgile

AdaptiveFlexible

OpenFree Living

Structure (being, existing):Planned, Built, Passive, Past, Prescribed, Stagnant

Structure #1

Structure #2

Balance issues:- Freedom / control- Awareness / instructions- People / systems- Proactive /reactive

32

A comprehensive process management model

0588/28.3.2004/jan

Business performance assessment and review

Process performance assessments (audits)

Inputs• require- ments• needs• requisites

People Otherresources Procedures

Work activity

Preventive action,improvement

Outputdata

Measurement

Process outputs

Analysis

Conformitycheck

Correctiveaction

A PC D

Re-design andre-engineering

Internaldata

A business process

Performance control

Other processes

Businessoutcomes

Otherprocesses

33

New foundations for business infrastructure

1544/2.9.2009/jan

Uncertainty and ambiguity Emergence and self-organizing networks of actors Many heterigeneous global actors in virtual networks All linked with everything else, all linkages not known Customers and other stakeholders differentiating with singular needs Pradoxal freedom of the actors (”both-and” instead of ”either-or”) Signifigance of immaterial issues (information, knowledge, services) Informal learning and serendipity Increased speed of activities and change Signifigance of transaction phenomena Complex responsive processes of relating Simultaneous agility and maturity requirements Immense pressure / stress of business leaders

(Refs.:D Zohar, R D Stacey)

Certainty and predictability

34

Problem and challenge of the information securityprofession to adapt to the needs of modern society

3641/12.1.2010/jan

Time

SpeedChangesAgilityComplexityDiversityImmaterialnessVariety

Businessenvironmentsand society

Problem, ”crisis of informationsecurity management”

Informationsecurityprofession inits entirety

Changed business environments cannot be avoided: “No boundaries – The oldboundaries have been obliterated. Today’s trends increase uncertainty, variety,variability, dynamics in all areas of business management.”

Preferred scenario:- Global adaptation: Evolutiontoward a synergistic society- Breaktrough transformationsneeded in the informationsecurity profession

Marshall McLuhan:” Today each of us liveshundred years in a decade.”

35

Activities within complex responsive processesof relating

High Certainty Low

High

Low

Agr

eem

ent

StandardsGuidanceMonitoring

Politicalcontrol -compromise

Experimenting

Chaos

Anarchy

Innovation

Creativity

Debate

“Zone of Complexity”

Serendipity

Trial & Error

3430/15.1.2008/jan (Ref.: Stacey: http://www.plexusinstitute.org/edgeware/archive/think/main_aides3.htm l)

All kinds of activitiesmay exist in networkingprocesses.

36

Operational procedure documents,standards, operation records, factualknowledge, etc.(explicit contents)

3758/9.1.2010/jan

Reality of the management in theminds of the individuals and in thepractical operations(implicit / tacit contents)

– This part is the most significantregarding to the actions for themanagement realization.

– The contents may change dueto time and situation anddepending on influences andlearning.

Conscious

Sub-conscious

Information security management is based onorganizational information / knowledge

37

Empirical fact-based information and inherentknowledge are needed for successful management

Measuring

Data

Analysing

Information

Reflecting and decidingIntervention

Plan / Act

Effects

0609/25.3.2008/jan

Knowledge- explicit records- tacit knowledge(know-how, competence)

The performance reality of the company business processes

A P

DC

...

Wisdom- myths- values

”Ba”

Environments

Facts

You get whatyou measure

38

Business people are not adequately committedto information security management

3183/22.1.2010/jan

Studies and observations made in small and big companies and governmental offices:

Although:• Most people in our organizations know the fundamentals and basic principles of IS

and recognize their importance, and even may be well-motivated.• There is a lot of general and organization-dedicated IS training and education

programs for increasing awareness and skills of IS.

However:• Senior executives in those organizations:

– Are not really interested in information security in their own managementpractices

– Don’t understand or recognize their managing role for information security– Have only a superficial understanding of information security– Lack the necessary skills for managing an organization with regard to

information security– Senior executives are not familiar with the information security standards– Easily delegate their responsible duties to external consultants or even

outsource the whole issue

39

3186/22.1.2010/jan

• Basic professional IS concepts, e.g. integrity, availability and confidentiality, are difficult,complicated and strange to business people.

• Information security management requires specific knowledge and skills.• Guidance materials for information security management are complicated and confusing,

and difficult to realize and apply consistently:– General standards and guidelines, e.g. ISO/IEC 27000 family of standards and OECD

Guidelines– Information technology and service references that normally consider also information

security aspects, e.g. ISO/IEC 20000, ITIL, COBIT, Sarbanes-Oxley Act, etc.• General management references, e.g. ISO 9000 standards, extensive and multifaceted

general management literature, and management education, e.g. MBA programmes, don’tclarify information security as a management issue and don’t explicitly promote the issue.

• Information security is a multidisciplinary issue and difficult to cope with simple managerialpractices - and particularly in today’s turbulent business environments.

• Communication between business leaders and information security (and other related)experts is ineffective and uncreative in general and within organizations.

• Business leaders are very busy, subjective, authoritative, and holistic generalists.• External third party audits and certifications undermine business leaders’ active

responsibility.• Business information is principally based on tacit (implicit) knowledge, and management of

the security of tacit knowledge is a sophisticated issue.

Why business leaders are poorly commitment to information security management?

40

Consequences when senior executives don’t committo information security management

3187/22.1.2010/jan

• Information security is not being managed business-minded and not aligned with realbusiness needs.

• Information security is seen only as a reactive and negative question to fulfil somestandardized requirements.

• Organizations keep busy with separate and restricted information security questions

• Information security standards are not understood from the managerial responsibility

• Organizations take only “cosmetic” or superficial actions for information securitymanagement.

• Business leaders delegate their management responsibilities to experts or outsourcethe whole issue to external consulting organizations.

• Organizations keep silent on their problems or incompetence in information security– and suffer consequences, or hope that nothing serious will happen.

41

Information security management performanceis not any ON / OFF issue!

3757/3.1.2010/jan

YES

NONO YES

(1)

(0)

Specific actions (measures or tricks)

Informationsecurityperformance

42

An organization’s business performance (from earlystage to maturity) – Information security integration

0 3010 6040 70 90 100%

0 = good-for- nothing

1 = perfect

Assessed overall business performance

Anecdotal

Competitive-ness

Beginnings

Excellence

Leadership

2460/2.1.2010/jan

Effectiveness

Need of change?How to get the change happen?

Organizations with a third party certificate (*)

(*) Third party certifications do not define any particular level of performance.Organizations cannot differ from the others on the basis of third party certificates

Gra

de o

f bus

ines

s pe

rfor

man

ce

All business performances (including information security) are fuzzy issues:

43

There are significant inadequacies, inconsistencies and other problems in the generalinternational standardization and standards mainly due to the normal standardizationprocesses.

Individual organizations applying the general standards should highlight their ownresponsibility of business leaders and experts in order to achieve the benefits.

A continuously increasing awareness and knowledge, innovations, and couragewould have required to create and implement useful and organization-dedicatedsolutions when applying the standards in real business environments. There should also be an effective cooperation of business leaders andinformation security experts. A proactive standards recognition may be promoted by active participation instandards preparation and commenting.

Epilog 1: Situation and challenge

3772/12.1.2010/jan

44

Theses of the new approach for applying informationsecurity management standards

Striving for a competitive information security integration by:• Recognizing performance excellence instead of a narrow information security conformity

thinking• Striving for a systematic approach (“systematicity”) of the information security in management

instead of formal and distinct information security management systems• Using business-related information security management principles and actions instead of

fulfilling formal and general information security assurance requirements only• Aiming at innovative and unique solutions instead of stereotyped systems• Relying on internal business performance self-assessments and advanced information security

assurance communication instead of third party audits and certifications of “artificial”information security management systems

• Getting advantage of tacit knowledge instead of only records of explicit data and information• Networking with partners and recognized world-wide communities of multifarious expertise• Supporting various ways of collaborative learning instead of narrow-minded and reactive

control only• Reinforcing and using company’s own internal awareness and expertise instead of passive use

of external consultants

3768/12.1.2010/jan

45

Epilog 2: Keep your organization’s identity inapplying general information security standards

There will be also in future standards-experts who don’t understand ordon’t want to understand business realities of real organizations.

Consensus process of standardization has a detrimental influence onthe clarity and ambiguity of general standards: “Stupidity

condenses in the masses - The mob has many heads but no brains”

However, standards must not hinder creative applications of thestandards by responsible organizations.

3769/12.1.2010/jan

46

Juhani Anttila, Independent ExpertIndependent expert, Venture Knowledgist

• Expertise of more than 40 years in the field of quality and 20 years of informationsecurity

• 35 years at different quality related positions at Telecom Finland and Sonera Corporation• Several decades’ involvement with international and national standardization of quality,

reliability, information security and telecommunications• Many years Assembly Representative and Vice President of the European Organization

for Quality (EOQ)• A founder and developer of the Finnish National Quality Award, Developer and assessor

of the European Quality Award• International Academician for Quality (Member of the International Academy for Quality)• Honorary Member of the Finnish Society for Quality, Honorary Fellow Member of Quality

and Productivity Society of Pakistan• Board member or chairman in some companies• Expert adviser in several organizations in quality management, dependability

management, information security management, crisis management and social media,and lecturer in some universities

• Expert in projects in some developing countries• Contributing by writings, lectures, and speeches globally on five continents

3678x/3.5.2009/jan (Ref.: http://www.qualityintegration.biz/contacts.html )