the implementation of deming's system model to improve

54 International Journal of Management Voi. 25 No. 1 March 2008

The Implementation of Deming's System Model toimprove Security Management: A Case StudyJenn TangNational Taipei College of Business. Taiwan

Threats to information security are increasing with the development of informationtechnology and a greater dependence on the Internet. We report on a case-study of atelecommunications marketing company which has successfully changes from being atraditional trading company to a company that relies almo.st entirely on e-commerce.The PDCA model developed by Deming was used to design a security managementsystem for this company. The system was designed to estimate the chances of breachesin sectirity. to draw up appropriate policies and operational rules to deal with them,and to assure that the usability, integrity confidentiality of data in the company. Thesystem helped the company obtain information security certification from the localaccreditation agency, SGS Taiwan. Lessons are developed from the case study for thedesign and implementation of effective .sectirity systems.

Introduction

With the coming of e-commerce and major developments in the internet, many enterprisesincluding private companies and government departments and agencies have bureausadopt computerized their operation successively, something that involves the storageof data in computers or the communication of data through the internet. Therefore,how to achieve operational security and to maintain safe information systems havebecome urgent issues for many enterprises. In this study develop an information .securitymanagement system to conform to the standai ds set by ISO/I EC 19977 (h[Ep://w\vw.i.so.dl¿). As these standards make clear, information security is not just a technical problem;it is also just as much, if not more, of a management problem. Through or by meansof an overall planning scheme, targeting the particular requirements ofthe company inquestion, using the risk management tools , and analyzing and evaluating the securityweakness and strengths of the company, we hope to develop a comprehensive andeffective system that will reduce the security dangers to the company and over timelead to significantly fewer breaches or lapses of security

Literature ReviewPDCA ModelDeming introduced PDCA to Japanese enterprises in 1950. according to which qualityimprovements take place through four major steps: Pliui-Do-Check-Action. Since thenJapan has become the worid leader in quality management. In 1993, Deming changed"Check" to "Study" in the model, in order to emphasize that 'investigation' and 'analysis'are the basis of Action, thus making it the PDSA model [ I ]. Another quality 'guru' Juranargued that the kind of quality circles that had that become a popular way of developingand implementing quality improvements in Japan, could be improved if they became

International Journal of Management Vol. 25 No. 1 March 2008 55

what he called. Quality Progressive Spirals in terms of which the PDCA series of stepscould function differently in different enterprises or company [41. Many research studieshave examined the functioning of PDCA [e.g., 5, 8, 13. 18, 19], but most have beenahout quality management and rarely related to itiformation security management. Thepresent study adopts the ca,sc approach research to examine the usefulness of the revealthe PDCA model as a method for improving the management of information security.

ISO/IEC 17799The purpose of ISO/IEC 17799 Code is to establish a set of standard criteria for anInformation Security Management System, which is not only designed to provide•absolute protection' hut also to ensure the enterprise takes full responsibility for itown information security evaluiUion and control. The terms or headings according towhich security issues arc examined in the code: (I) Seope, (2) Tenns and Definitions.O) Security Policy, (4) Organizational Security. (5) Asset Classification and Control,(6) Personnel Security, (7) Physical and Environment Security, (8) Communicationsand Operations Management, (9) Access Control. (10) System Development andMaintenance. (11) Business Continuity Management, and ( 12) Compliance.

Executive Yuan is the relevant 'governing' institution in Taiwan guided by ISO/IEC17799. In 1999, the Research, Development and Evaluation Commission of ExecutiveYuan issued No. 88-05787-lnfonnation Security Management Norm for Subsidiai7Institutions of Executive Yuan [111. This directive contained 10 chapters similar to ISO/lEC 17799, According to this government directive, information seeurity systems musthave: (1) Confidentiality: to ensure that only authotized personnel access infonnation.(2) Integrity: tocnsnrc the correctness and accuracy of information and the operationalmethods used to analyze and disseminate it. (3) Usability: to ensure that only authorizedusers access the relevant information. The Director General of Budget, Accounting andStatistics published the Information Security Manual [6| composed of live chaptersdealing with the laws and regulations governing information and communication, fromwhich an Information and Communication Security Self-cheek List can be derived thatenterprises ean use to diagnose their own information security problems and perhapstheir solutions as well.

Related Work |With regard to Information Security Management Systems (ISMS). Chen Rui-xiang's|9[ ISO/IEC 17799 recommended information security standards and internal auditprocesses stress the importance of the internal control of information security. YangHong-Zhen et al. [ 14] examined the control of information crime and the managementof informiition seeurity by means of the implementation of national standards andcriteria in an Information and Communication Safety External Check List. Their studydealt with different methods of preventing information crime and summarized securitysystem research about the control of information security through the implementationof criteria and standards designed according to ISO/IEC 17799. Huang Ming-Da etal. [101 argued that three types of infonnation security control systems are typically

56 International Journal of Management Vol. 25 No. 1 March 2008

adopted by domestic and foreign banks in Taiwan, that respectively emphasize accesscontrol, physical and environment security, and system development and maintenance.However, this research did not include the actual information security situation in localfinancial industry-in Taiwan —and did not examine the views of individual bankersabout bow best to manage information security. In a related study, Mao Shi-sen et alf3] investigated the internet security of rural credit cooperative information centers inTaiwan, but their research did not deal with the management aspect of ISO/IEC 17799.Fan Guo-zhen 115, 16] examined the certification of information security practices, howmanagers reacted to information and communication security crises, how to prepare forand guard against such crises, as well as how managers can best recover after breacbesfrom or lapses in seeurity. Fan Guo-zhen et al. [17] also examined the monitoring andchecking of information security systems. In this paper these researchers proposed theconcept of 'verification' to relate or link domestic and international information securitymanagement systems at different levels based on the PDCA for identifying and assessingrisks, as well as developing and implementing secuiity controls. Our research appliesDeming's PDCA model to information security management in an entire business orlirm, using the same kind of model advocated by Deming for production control inmanufacturing companies.

Profile of case study firm

Firm Y was established in 1995 in Taiwan. At tbe beginning, there were only four personsin company; the boss, a cashier, a salesman, and one engineer. The Initial business modelwas only for trading. The company sold products with a foeus on importing materialsfrom outsourcing. In order to survive in a competitive marketing. Firm Y starteddeveloping strategies around 200 after the emergence of electronic eommeree. Fromthat time. Firm Y broadened the scope ofthe company and also began to pay attentionto delivering the best services to customers. At tbe same time Firm Y also developed itsown business model to take advantage of tbe possibilities of e-commerce. Their consumerproducts were in mainly the fields of communication, and ct>mputers; for example,mini FM modules, CD players, cellular phones, lat top computers, memory cards, andblue-tooth devices. One year later firm, in January 2000, firm Y formally announeed toall of its employees that they were following the e-commerce route. At the same time anew department whose purpose was to eontrol the computer network was built has alsobeen built. Due to the efforts of their personnel, it and with the help of consultants. FirmY can be said to have successfully 'migrated' being a traditional trader to being a firmthat relied extensively on electronic commerce (http://www.maotek.com/).

System DesignThe purpose ofthe research ofthe research was limited to the establishment of an ISMSincluding tbe development of a management model for monitoring and checking tbesystem that was installed. The standards according to which the installed system wasassessed was developed from the PDCA model; from the 'Plan, Do, Check, Action'idea or concept developed by Deming [171. This idea or concept was in turn based on

Inlernational Journal of Management Vol. 25 No. 1 March 2008 57

Deming's quality management which has been considered an effective managementmodel in many industries. The outlines of the proposed model are shown in Fig. 3-1.Our research employed or used the ISO/IEC 17799 standards (based on Deming'sPDCA mtxlel) to design the framework that 'conformed' to the information securitysupervisory and atidit managetnent systems proposed for the eompany in the case study.The framework not only shows the information security requirements and the expectedeffects from within the business, but also considers histotical information securityevent from outside the business. In this respect, it is worthwhile to compare Deming'smanagement circle with our research framework, in terms of the elements of Plan(Establish ISMS environment and risk assessment). Do (ISMS design and implement).Check (Monitor and review ISMS) and Action (Improve ISMS), as shown as Fig. 3-2..^3, 3-4 and 3-5:

Fig. 3-1: Conceptual structure of the PDCA model

Plan

OutsideBusiness

historicalin formal ionsecurityevent

Check

WilhinBusiness

informationsccurilyrequircmeniand ex pettedcttect

Fig. 3-2: Plan's structure in the PDCA model

audit items

security levelA

Plan

Riskassessment

Checkingout asset

informationsecurity policy

security levelB

security levelC

58 International Journal of Management Vol. 25 No. I March 2008

Structure of 'plan' phase

According to the requirements of ISO/IEC 17799, it is necessary to develop andimplement the following: an information security policy, an information securitydepartment in the firm, a system for classifying and controlling the firm's assets, methodsfor managing physical and environmental security, communications and operations,systems to control access to the information, methods for developing and maintaininginformation systems themselves and ways of managing continuity and changes. In doingthis, care must be taken not to influence or interfere with the daily work ofthe firm thatformed the case study. In this respect, it was felt necessar>' to discuss the structure ofthe plan, as shown in Fig. 3-2, with the director of the firm, as well as (1) the policy forinfonnation security policy, (2) the method for "checking out' assets. (3) the way in whichrisk was to be assessed, and (4) the various audit items classified by three informationsecurity levels (A. B, and C), according to the actual requirements of the firm.

Structure of *do' phaseTo help ensure the effective and regular monitoring of information security operations,the process was divided into six stages or steps according to the information security

Fig. 3-3: Do's structure in the PDCA model

Fig 3-4: Check's structure in the PDCA model

Check1

3 »


software that was applied In each step or stage; these were: (I) the mail managementsystem, (2) the How monitoring system, (3) the accounts management system, (4) thesoftware download schedule. (5) the information security system, including the detectionof backdoor or illegal software, (6) the package management system, and (7) the assetmanagement system, such as document and computer center facilities and computercenter logs, to ensure information usability, integrity and confidentiality, as shown inKig. 3-3.

Structure of *check* phaseAt one of their meetings Executive Yuan of Taiwan approved the 'Project for Establishinga National Inlomiation and Communication Infrastructure Security System' [6], in whichfour levels of information and communication security were defined and identified;namely Level A-lnflucnces public security, social order and people's life and property:Level B--Suspends systems, unable to operate businesses: Level C--Stops businesses,influences system efficiency: Level D: Halts businesses for a short time, can recoverimmediately. Within the context of these four ievels of security, our research was focusedon the Information Security Manual and the associated Information and CommunicationSecurity Self-check List published by the Director General of Budget, Accounting andStatistics, Executive Yuan. Taiwan, which contains 10 major audit items and 233 sub-items, whose content needs to be modified to make them relevant to the needs of thefirm in the case study. Through repeated discussions with the director ofthe firm in thecase study the 10 major audit items and 233 sub-items were customized in respect ofthe three levels. A. B and C. Specifically, for Level A 'Strict Check' all items had to bechecked, for Level B 'General Check' this was reduced to 188 sub-items, for Level C'Simplify Check" it was further reduced to 102 sub-items; these three security levelscould be raised or lowered according to different organizational information securityrequirements; however, no matter at what level of security the checking was done, therequirements of all 10 sections in ISO/IEC 1799 were required to be met in order forthe information security audit in any firm to be passed or the firm accredited, as shownin Fig. 3-4.

Strueture of ''action' phaseHere the researches discuss the required corrective and preventive actions with thedirector of the case study firm using the results from the previous audit, referringrefer to actual information security events, especially lapses and breaches. Erom thesediscussions, security action plans are developed for the director to execute. Mcxlificationsare also made, where necessary, to operations regulations in order for the firm to proceedto the next cycle in the PDCA model, as shown in Fig. 3-5.

System FrameworkThese actions with respect to each phase of the PDCA model, the individual Plan, Do,Check and Action stages or steps are integrated to form or produce a comprehensivesystem framework, as shown in Fig. 3-6.


Fig. 3-5: Action's structure in the PDCA model

Historical informationsecurity evenl

Fig. 3-6: System framework through the PDCA model

security level security level sccuriiy levedA B C

audit items Riskassessnienl

Checking

Hixlorical inrormalionsecurity event

tnrormülion andcommunÎL-alion

security aaion plnn

— Adion

infonnationsecurity policy

CTieck

I ?is

3 gs ̂2 >

g gS &

Assetsyslcm

S<rftwarcsystem

Infoimationsecuritysysicm

SoUwaredownloadschedule

Accourlmanagetncnl

system

Flowmonitoring

system

MHÍImanagemenl

system

Backdoordeiection

tllcgaJsofiwuftdelect ion

Informal bnsecurity

regulation

Ifi


4. Results and DiscussionFunctions in PlanChecking of levelsAs mentioned above, drawing up appropriate or relevant information security audititems is the most important task in establishing an effective ISMS system. Accordingly,in this research, we 'modified' a total of 10 major items and 233 sub-items from theInformation and Communication Security Seif-check List in the Information SecurityManual published by the Director General of Budget. Accounting and Statistics,Executive Yuan, Taiwan. A suitable information security policy is essential, if a firm isto have an effective ISMS. It is also necessary that this policy be reviewed and revisedperiodieally to comply developments in ISO/IEC 17799, otherwise it could not continueto be used to control security, and to check the processes involved. Finns should alsopublish information security policy so that all staff know or are at least aware theinfonnation security strategics pursued by their firm; this constitutes the 'audit' itemof Level A. Details about security levels A, B and C's are given below, including whatis necessary to achieve each level.

( 1 ) Level A: Information and communication security evaluation operation level, eheckall 10 major items and 233 sub items according to the requiremctits of the firm.

(2) Level B: Information and communication security evaluation operation level,examinethe 10 major items and 188 sub-items according to the firm's requirement.

(3) Level C: Information and communication security evaluation operation level, checktwo major items and 102 sub-items according to the requirements of the firm.

Those levels are only suitable as general, as opposed to specific, references because firmshave differetit requirements, none being quite the same. This means that the particularaudit items that are relevant or appropriate in eaeh ease will be different, with the scopeand rigour of the checking process having to be increased or decreased according towhat actually is needed according to the requirements of the particular firm.

Classification of assetsThis essential process involves the checking of relevant information about the firm'sassets and the establishment of an asset master list. Appropriate personnel needed to beappointed to manage and keep information about the firm's assets asset so that they canbe it can be properly controlled and protected and responsibilities clarified, accordingto the relevant regulations. Tlie Assets Information System that is developed to performthese tasks should cover the following type of assets:

(1) Information Assets: Database and data files, system documents, user instructions,training data, operation or maintenance procedures, intelleetual property rights, andbusiness continuity management plans and recovery steps in the event of errors orlosses.

(2) Software Assets: Application systems, system software, development tools, softwarepackages, and shared programmes.


(3) Material Assets: Computer facilities, communication facilities, disk media,ofiicewarc, and control centers.

(4) Service Assets: Internet connections, communication services, frequently appliedfacilities, such as heating, lighting, power supplies, and air conditioning units.

Document Integration

Normally, the process of classifying ISMS documents is divided into four stages, asshown in Fig. 4-1. namely, stage 1 - development of information security policies, stage2 - management of regulations or instructions, stage 3 - applying standard operationalprocedures, and stage 4 - producing records or data sheets.

Structure of 'do' phase

Mailing management functions

The system described here can connect the mail server directly to all the mailingmessages, which can he printed directly in electronic form so that the messages canhe 'tiansformed' on to database for further examination and diagnosis. In addition,the webmaster is able to use the database to help him assess the consumption of thebandwidth that is used. In this way if the mail llow is too large, those responsible canbe warned or punished, according to the previously defined regulations regarding theuse of the internet in the firm.

Bandwidth monitoring functions

Because of limited internet handwidth resources, it is often necessary to pay attention toflows in and out of the network so that the office is not mistaken for a 'cyber café'. In the

Fig. 4-1: ISMS documentation classifícation

stage 2regulations

and instructions

stage 3standard operational procedure

stage 4forms and records


uasc of abnorniiil flows, offending staff should be punished or warned, according tothe bandwidth monitoring system in place in the linn. The Bandwidth Use Report inour system employs the Microsoft Internet Security and Acceleration Server which isinstalled as a proxy mode. The content ofthe report is generated from the proxy server,which contains all the relevant information including the bandwidth utilized by eachaecount and ranking of the top browsing websites. It is easy for the webmaster to readand print a daily report at the elient site by using the browser to manage the firm's entireinternet bandwidth.

Account management functionsrhis function centralizes all accounts in the business for management and also maintainsthe accounts of leaving staffs.

Software downloading functionsIt is common lor the intranet to be affected by viruses or baekdoor programs. This ismainly employees are always feel free to download files from the internet. To overcomethis problem it is reeommended that employees be prohibited from downloadingliles unless for business purpose. It is also suggested that employees submit requiredapplication forms to the controller and that the and internet operator in the control centerschedules downloading for nights after the firm closes down and gives the downloadedflics to returning employees only after the files have been tested and found to be cleanfrom viruses. Our system uses the Flash Get Program to download packages since itis a programme that only needs the payment of a few registration fees to get the rightto legal access.

Information security functions ,

This kind of function covers the following three areas:

Backdoor detection: The intranet is detected and scanned pericxiically to fmd out systemweakness before or earlier than hackers and to take corrective actions. Our system makesuse of free programs, such as the Microsoft Baseline Seeurity Analyzer and the Nessusin Linux platform. To make effective use of such programs, it is necessary for the elientto set up a site that uses the Windows Platform.

Illegal software detection: It is necessary here to set up an asset management system withinthe office, such as the Microsoft Systems Management Server that can simultaneouslydetect the hardware facilities of the end user, produce a list of software that has beeninstalled, change hardware accessories and detect illegal software. For this to happen,it is required for the client to be a site of the Microsoft Systems Management Server.

Information security regulations: Here the infonnation security documents required byeach audit item must be 'designed into' the document columns in the database systemin order to facilitate the management and maintenance of the information securitydocuments as and when they are required by the firm.

64 International Journal of Management Vol. 25 No. \ March 2008

Package management functions

Newly purchased software by the firm should be filed immediately for copyright reasons,thus controlling the authorized amounts of copyrighted software, preventing it fromexeeeding the authorized amounts and violating intelleetual property rights.

Asset management functions

Information assets that have been risk assessed and graded now need to be elassified.The data base for searching, updating and maintaining is 'built-in' in our system. It alsocontinues to perform updating and maintenance functions. Information assets shouldbe classified in the following way. The classifieation of information assets can be interms of these categories:

Documents: Forms, contracts, business papers, personnel data, purchasing data, andinvoices.

Software assets: Application systems, software systems, development tools, and softwarepackages.

Physical assets: Computer facilities, network facilities, and storage media.

Personnel: Full-time staff, part time staff, and contractors.

Information: Databases, data files, system documents, user instructions, training data,operation and maintenance procedures, intellectual property rights, business continuitymanagement plans, and reeovcry procedures.

Checking Functions

Any 'inappropriate' or 'error' executions of the 233 sub-items of the 10 major audititems should be recorded here. A list of all the completed items about information andcommunication security aetion plans should be recorded. Measures for corrective andprevention should be addressed. Tbey should also be aetivated when necessary.

Action Functions

If any 'checking' item has not been completed, it must be 'moved into' the informationand communication security action plans. The direetor can appoint personne! to makeimprovements and confirm the results in the next cycle of PDCA. A 'comparison' oferror or inappropriate internal information security items with actual external informationsecurity events can help to develop and further improve ISMS in the firm.

ConclusionsIt is a complex process to establish ISMS, which can test the determination and patieneeof directors and staffs. The management of the four level documents shown in Fig. 4-1 also needs considerably manpower and can be eostly in time. Information securityprotection must not involve the firm in imposing too many restrictions, but if the firmis insuffieiently aware of the need to protect itself against security risks or threats,this can work against taking the appropriate security measures. What is needed is abalance between 'restrictions' on the one hand and 'security measures" on the other. In


Ihc present case the introducing ofthe PDCA-ISMS model resulted in the ñrm beingaccredited, gaining the Infonnation Security Management (SO/lEC 17799 certificatesignifying it had met the ISO standard as required, with only one minor and zero majornonconformities. According to the TSMS Documentation Classification shown in Fig. 4-I. the firm provided the relevant dtxuments to comply with the clauses of ISO/IEC 17799.By meeting the external audit (surveillance) criteria, in providing all the documentationrequired, the firm in this case study has effectively to the requirements of the auditstandards. In so doing the firm has met its goals and can be regai'ded as having bt)tli anefficient and effective ISMS, from their point of view and that of the auditors. |

Through the tools offered by this system, the firm can gain the security benefits inherentin the successful application of the PDCA cycle and in so doing can 'simplify' theplanning and administrative processes. In the past internal ISMS audit planning andadministration was usually done by administrators using paper and pen to identifyand record security breaches or lapses inside the firm, typically referring to their ownInformation and Communication Security Check List. In contrast, the PDCA--ISMSdescribed in this paper offers a 'total solution' through its 'checking functions' at levelsA, B and C. The PDCA cycle in this case enables managers to contrtil and monitorinfomiation security at all titnes. In addition, the e-documents thai aie produced iti the[irocess enable relevant ISMS information security documents to be retrieved whenevertiecessary. both quickly and easily. This allows managers to utilize the relevant documentsin such a way that the quality ofthe infonnation security maintenance and operationfunction can be effectively controlled and maintained. |

Managers responsible for the installation and maintenance ofthe PDCA--ISMS mcxlelin the ñrm believed that it had achieved a tiumber of benefits for them. Specifically,regards the centralization of management, the PDCA—ISMS provided 'do" functions thatsimultaneously detect and control security beaches and lapses. The 'ultimate advantage'of these functions they felt consisted in its capacity to preventing those responsible forsecurity issues from 'running about' checking variations and deviations after audits hadbeen completed, by making full use ofthe resources of centralized management. Anotheradvantage of the PDA — ISMS mode! concerns the monitoring of the status of security.In this respect, PDCA-ISMS can record, can collect the necessary infonnation aboutIhe online 'security status' at each computer in the network and gather statistics of anycomputers that are off-line for a long period. This infonnation or data enables managersto identify security problems in time and reduce or solve them before they can do muchor any damage. The PDCA--ISMS model can also reduce costs in terms of man-hours.The cycle that is inherent in PDCA allows managers to observe security variations anddeviations continuously, at any time; thus making it simpler and easier to solve or reduceany particular or specific security problem when it arises. Furthermore, because thePDCA process or cycle 'automatically' insecurity deviations or variations, this reducesthe number of personnel required for controi and maintenance, allowing more personnelto undertake other tasks or duties, not necessarily connected to information security.

There are also employee aspects to the benefits derived from the PDCA-ISMS model.


In addition lo controlling for external threats or risks to information security, there arcnumerous prohlems for security that arise from internal mistakes or errors, or evenfrom carelessness on the part of personnel, that need to be controlled and managed. Inthis regard, because security can be regarded as a 'systematic series of problems' thatinvolves people at every stage, it has been said that 'security is a process, not a product'(12). In this respect, it is almost impossible to regulate people's behaviors with regard tosecurity issues just through a good 'product' no matter how perfect; the 'product' needsto be executed by people, employees in a finn. to have positive effects. Without effectiveimplementation and control through the cooperation of many people, a process suchas PDCA-ISMS could not work properly. Managers should learn from the successfulimplementation ofthe PDSA—ISMS model described in this paper that it is relativelyeasy to get employees to adopt a 'security outlook", to think ofthe security implicationsof everything they do or say in the firm, that to solve any breaches or threats to securityrequire requires the effective collaboration of many people working together, and thatpeople often learn how to solve or reduce security problems after the event, once therehave been actual breaches or identified threats to security.

Effective information security management has become one ofthe major coneems offirms today. To be helpful the PDCA--ISMS model described in this paper needs tooperate continuously according to the "plan-do-chcek—action' cycle to meet the foursteps in Deming's model. It needs to continuously monitor the functions of this firmthat to find out security weakness and correct them at once, as soon as they appear. ThePDCA—ISMS model needs to improve the security level in a firm, moving it fromlevel C to A when the firm is being certified or intends to seek certification. What isrequired is that the system runs smoothly and in such a way that managers can continuegoing about their normal duties or tasks, without having to worry or be concerned aboutspecific security issues all the time.

As made clear earlier, the general aim of the PDCA-ISMS model in this paper is toenable firms to meet the requirements ofthe ISO/IEC 17799 standards. However, evenwhen this aim is accomplished, there wiil still be some unavoidable human problems dueto artifice, interpolation or imitation. We consider that the PDCA--ISMS is suitable forhelping and assisting firms to successfully meet or satisfy external accreditation criteria,especially when their information security systems have to be changed to satisfy or meetchanging requirements. As regards future studies, the present investigations should helpby pointing the way towards ways in which the idea of the PDCA cycle ean be usedto save time in identifying lapses or threats to security whilst at the same time helpingfirms to meet external criteria laid down by accrediting agencies. However, despite thesueeess ofthe present model, it remains a good idea to develop new versions ofthe currentPDCA model for improving and evaluating the performance of ISMS in firms.

AcknowledgementThanks to Z.-X. Lin, F.-G. Lee, H.-Y. Yin, Q.-F. Lee, J.-Y. Jiang, Y-Z. Chen et al., fortheir assistance.

International Jiturnal of Management Vol. 25 No. 1 March 2008 67

References

1. Deming. W. Edwards. ( 1993). The new economics: for industry, government, andeducation, Cambridge. Mass MIT Press.

2. Schneier. Bruce. (2000). Secrets & Lies, Digital Security in a Networked World,John Wicly & Sons, Inc. ISBN 0-471 -2531M.

3. Mao. Shi-sen and Guo-hao Huang, (2001). Research of Financial InformationNetwork Security, paper presented at the 12"" National Information SecurityConference. 89-196. Taipei.

4. Wu. Zheng-chong and Shi-jian Yang. ( 1994), Juran's Quality Handbook, translatedby Chinese Prtxluctivity Center (Joseph M. Juran, 1989).

5. Lee. Kun-lin, (2000). Construction of Total Quality Management, KnowledgeManagement and Learning Organization Integration Model, UnpuhWahcdmaaXcrthesis. Graduate Institute of Business Administration, National Chung ChengUniversity. Taiwan.

6. Executive Yuan. (2002a), Information Security Manual, Version 3, DirectorateGeneral of Budget, Accounting and Statistics, Executive Yuan. R.O.C.

7. Executive Yuan. (2002b), Establishing National Communication and InformationInfrastructure Security System Plan, Approved No.27I8 Meeting ExecutiveYuan.

8. Chang. Ti-yuan. (2001 ). Research of Enterprise's ISO Certification and KnowledgeStrategy Integration, Unpublished master thesis. Graduate School of BusinessAdministration. Chung Hua University.

9. Chen. Rui-xiang, (2001). ISO/IEC 17799 New Information Security Standards andInternal Audit. Internal Audit Journal, Vol. 37. 16-20.

10. Huang. Ming-da and Shu-hui Zeng, (2002), Evaluate Bank Industry's InformationSecurity Environment Based on BS7799, paper presented at the 13' NationalInformation Management Academic Seminar, 1-8, Taiwan.

11. Huang, Eang-ehuan, ( 1999). Research, Development and Evaluation Commission,Executive, Executive Yuan issued No. (88) 05787ninformation SecurityManagement Norm for Subsidiary Institutions of Executive Yuan, R.O.C.

12. Huang. Fang-chuan. (2001), Information Security Manual, Directorate Generalof Budget, Accounting and Statistics, Executive Yuan. R.O.C.

13. Huang. Ge-zhi, (2001). Construction of Management System Process AnalysisFramework: an Example from Taiwan Invested Small and Medium Enterprisesin China, unpublished master thesis. Graduate School of Industrial Engineeringand Engineering Management. National Tsing Hua University, Taiwan.


14. Yang. Hong-zhen, Yi-Iong Lin. and Jun-xiong Wang, (2001). Discussion ofInformation Crime and Information Security Management -An Example fromBS7799, paper presented at the 12'*' National Information Security Conference,381-388, Taiwan.

15. Fan. Guo-zhen. (2000a). Information Seeurity Management Certification Summary(\) (2) {3), Standards and Inspection Magazine. Vol. 17, I8and 19,63-72,48-62and 21-35.

16. Fan, Guo-zhen. (2001b). Draft Opinion on Communication and InformationSecurity Crisis Event Management System, paper presented at the 11"" NationalInformation Seeurity Conference, 117-124. Taiwan.

17. Fan, Guo zhen, Ren wei Fang. Ching-Jin Lin and Jin-chang Huang, {2001c).Research of Information Security Management System Verification, paperpresented at the 2001 National Information Computer Conference. 121-131, ChineseCulture University, Taiwan.

18. Lia, Liang-yi (2001). Research of Software Development Process CapabilityEvaluation Model, unpublished master thesis of Graduate School of DefenseInformation, National Defense Management College.

19. Yong, Yi, (2001), Research of Improving Production System by ConcurrentEngineering, unpublished master thesis. Department of Industrial Engineering andManagement Information, Hua Fan University. Taiwan.

20. BS 7799-1 (2000), Information Security Management- Part I : Code of practice forInformation Security Management, British Standards Institution.

21. BS 7799-2(2002), Information Security Management- Part 2: Specification forInformation Seeurity Management, British Standards Institution.

Contact email address: [email protected]