A model to assess the Information Security status of an organization with special reference to the Policy Dimension.

Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to mana...

Full description

Bibliographic Details
Main Author: Grobler, Cornelia Petronella
Published: 2008
Subjects:
Online Access:http://hdl.handle.net/10210/488
Description
Summary:Information Security is becoming a high-priority issue in most organizations. Management is responsible for the implementation of security in the organization. Information Security is a multi-dimensional discipline. A well-defined Information Security Management strategy will enable managers to manage security effectively and efficiently in the organization. Management must be able to assess the current security status of the organization. Currently, no comprehensive, integrated assessment tool or model exists to assess the total security posture of an organization. The study will address the problem by proposing a high-level integrated assessment model for Information Security. The study is divided into 4 parts. Part one: Introduction to Information Security Management consists of three chapters. Chapter 1 provides the user with an introduction and background to the study. In chapter 2, the study discusses Information Security as a multi-dimensional discipline. The dimensions identified are the Corporate Governance (Strategic and Operational), Policy, People, Risk Management, Legal, Compliance and Technology dimensions. Information Security is no longer a technical issue, it must be managed. The need for an Information Security Management strategy is discussed in chapter 3 of the study. A successful management strategy should be based on a well-defined Information Security Architecture. Part 2: Information Security Architectures, of the study consists of one chapter. Chapter 4 of the study discusses and compares different Information Security Architectures. The study uses the information gathered from the comparative study and best practices: CobiT and ISO17799, to propose a new Information Security Architecture: RISA. The study uses this architecture as a framework for the assessment model. Part 3: Assessing security consists of five chapters. Chapter 5 discusses the characteristics of assessment and proposes an assessment framework. The study recognizes that assessment on the different levels of an organization will be different, as the assessment requirements on management level will differ from the requirements on a technical level. It is important to use best practices in the assessment model as it enables organizations to prove their security readiness and status to business partners. Best practices and standards enable organizations to implement security in a structured way. Chapter 6 discusses the ISO17799 and CobiT as best practices and their role in the assessment process. Chapter 7 of the study discusses various factors that will influence security assessment in an organization. These factors are the size of the organization, the type of organization and the resources that need to be secured. The chapter briefly discusses the various dimensions of Information Security and identifies deliverables to assess for every dimension. The chapter proposes a high-level, integrated assessment plan for Information Security, using the deliverables identified for each dimension. The study refines the assessment plan for the Policy Dimension in chapter 8. The chapter proposes various checklists to determine the completeness of the policy set, correct format of every documented policy and if supporting documentation exist for every documented policy. A policy status result will be allocated to each policy that the organization needs. The status results of all the individual policies will be combined to determine the security status of the Policy dimension. The study proposes an integrated high-level assessment model in chapter 9 of the study. This model uses the RISA and assessment plan as proposed in chapter 7. It includes all the specified dimensions of Information Security. The assessment model will enable management to obtain a comprehensive high-level picture of the total security posture of an organization. Chapter 10 will summarize the research done and propose further research to be done. === Prof. S.H. von Solms