Abstract
The importance of data privacy, information availability, and integrity is increasingly recognized. Sharpened legal requirements and increasing data leakages have further promoted data privacy. In order to implement the different requirements in an effective, efficient, and sustainable way, the authors integrate different governance frameworks to their holistic information security and data privacy model. More than 1.5 million organizations worldwide are implementing a standard-based management system. In order to promote the integration of different standards, the International Standard Organization (ISO) released a common structure. ISO/IEC 27001 for information security management was changed accordingly in October 2013. The holistic model fulfills all requirements of the new version. Its implementation in several organizations and the study's results are described. In that way data privacy and security are part of all strategic, tactical, and operational business processes, promote corporate governance and living security, as well as the fulfillment of all standard requirements.
TopIntroduction
Due to globalization and increasing competition, information and supporting technology have become key asset and differentiators for modern organizations. Organizations and their information and information systems are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. 92% of large enterprises had a security incident in the last year with an average cost of 280.000-690.000 £ for the worst incident (PricewaterhouseCoopers, 2010). Threat agents have increased in the last years sophistication of their attacks and their tools (ENISA, 2013). The security incident have increased 25% over the previous year, while the average financial cost of incidents are up 18% (PricewaterhouseCoopers, 2013). Mobile and cloud computing, off-shoring, social networks and the increasingly interconnected, flexible and virtualized business complexity and dependencies are still great challenges for data privacy and information security.
In the last years, the legal and regulatory requirements in this area have been sharpened. Most modern corporate governance guidelines, and always more laws, make the board and specifically the CEO responsible for the well-being of the organization. Data breaches and lack of security compliance may result in loss of confidence of customers, partners and shareholders, as well as severe civil and criminal penalties for board members (Saint-Germain, 2005; Clinch, 2009). More and more organizations are reducing their business risks by seeking assurance that their supplier and partners are properly protecting information assets and ensuring business continuity (Saint-Germain, 2005). In this respect the availability of all essential assets, confidentiality, data privacy, data integrity and legal and regulatory compliance are central for organizations’ success (Bélanger & Crossler, 2011; Da Veiga & Eloff, 2007; Solms & Solms, 2009; Sowa, Tsinas & Gabriel, 2009). This poses great challenges for small and medium sized organizations. They need a very efficient and functional approach, which can be smoothly integrated in their daily business.
More than 1.5 million organizations worldwide are implementing a standard based management system based on international standards (e.g. quality ISO 9001, or environment ISO 14001, IT service management ISO 22000 and others) (ISO, 2013a). In order to promote an efficient integration of different standards, the International Standard Organization [ISO] released a common structure for all management systems’ standards, the Annex SL of the ISO/IEC Directives (ISO, 2013d). In accordance to this new structure, ISO published in October 2013 the new version of the ISO/IEC 27001 (ISO, 2013b) and ISO/IEC 27002:2013 (ISO, 2013c) information security management standards. More than 19.500 organizations worldwide have just implemented an information security management system in accordance to the old version of ISO/IEC 27001 (ISO, 2013a). In order to maintain their certificate they have to adjust their system to the new requirements. The international standard provides requirements for establishing, implementing, maintaining and continually improving an information security management system to meet the specific security and business needs/objectives of the organization. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls (ISO, 2013b; 2013c).
Key Terms in this Chapter
Information Security: Information security is the preservation of confidentiality, integrity and availability of information. In accordance to corporate objectives and strategies, as well as stakeholder’s, legal, regulatory, business and standard requirements other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Policy: The policy provides the overall intention, direction, principles and values of an organization in accordance to stakeholders’, legal, regulatory and standard requirements and the characteristics of the business, the organization, its location, assets and resources. It is a framework for setting objectives and measuring their achievement.
Business Process: A business process is a set of interrelated or interacting activities which transforms inputs into outputs to meet defined objectives by respecting constraints and requiring resources.
Information Security Governance: Information security governance is an integral part of corporate governance. It provides the strategic direction for information security, ensures that objectives are achieved, and ascertains that risks are managed appropriately and responsibly. In that way information security sustains and extends organizations strategies, objectives and controlling for sustainable organizations’ success.
Risk Assessment: A risk assessment is a systematic use of information to identify sources of risk, to estimate the risk and to compare the estimated risk against given risk criteria to determine the significance of the risk.
Management System: A management system identifies, understands and manages interrelated or interacting processes and activities to establish the organizations’ objectives accordingly to stakeholders’, legal, regulatory and standard requirements and to achieve those objectives sustainable. It consists of a corporate policy, objectives, planning activities, responsibilities, organizational structure, policies, practices, procedures, processes and resources. Due to external and internal changes it must be continually adjusted and improved.
Information Security Management System: An information security management system is part of the overall management system (see Management System). It is based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security accordingly to stakeholder, business, standard, legal and regulatory requirements.
Quality Management System: A quality management system is a management system (see “Management system”) to direct and control an organization to fulfill stakeholder requirements. It includes the establishment of the quality policy and objectives, as well as quality planning, quality control, quality assurance and quality improvement.