Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.
Security Threats Escalation And Impact
Reports provided by different organizations include statistics aimed to evaluate the information security field. Although computer security incidents apparently occur with less frequency within organizations, the average losses are up in 2007 compared to previous years (Richardson, 2007). Malware (virus, worms, spyware) losses, which had been the leading cause of loss for the past seven years, fell to second place, after financial fraud and many organizations indicated the presence of targeted attack (Richardson, 2007). More than 72% of e-mail was spam in May 2007 (Kim, Chung, & Choi, 2007) causing users and providers unnecessary spam-classification expenses.
Key Terms in this Chapter
Intelligent System: Emerging computing system based on intelligent techniques that support and complex activities.
Framework: Working security plan, which is the outline of the more thorough blueprint.
Targeted Attack: Attack aimed exclusively at one organization.
Blueprint: A document that describes existing controls and identifies other necessary security controls.
Bots (Zombies): Autonomous programs performing automated tasks.
Security Model: A generic blueprint offered by a service organization.
Phishing: Fraudulent representation of an organization as sender.