Information Security Governance Using Biometrics

Introduction

According to NIST (National Institute of Standard and Technology) Information Technology (IT) governance is the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Information Security Governance consist of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages identity and risks appropriately, uses organisational resources judiciously, and monitors the success or failure of the enterprise security programme.

The concern about the Identity Management (IM) which is a subset of Information Security Governance is increasing across the public and private organisations. In private organisation it is most frequently thought of in the context of identity theft. According to FDIC figures, 10 million Americans suffered identity theft in 2003 resulted with a cost to business in excess of US$50 billion and a personal impact that is difficult to estimate¹. As large amount as this sum is, identity theft is at the core of significantly broader economic vulnerabilities and national security concerns. Thus using biometrics to develop identity theft countermeasures has direct impact on civil infrastructure protection. Authentication and identification of people are critical to eliminating threats to organization security and public safety, and securing business transactions. As technology advances and public policy debates continue over the pros and cons of personal identity programs, the identity management industry continues to grow and change. Information and the knowledge based on it have increasingly become recognised as information assets, i.e., a business-critical asset, without which most organisations would simply cease to function. It is a business enabler, requiring organisations to provide adequate protection for this vital resource.

Organizations depend heavily on Information Technology to run their daily operations and deliver products and services efficiently. With an increasing reliability on IT, a growing complexity of organization IT infrastructure, and a constantly changing information security threat and risk environment, Information Security has become a mission-essential function. In order to ensure the organization ability to do business, security must be manage and govern to mitigate the risk to organization. To support their mission organization ensure that agencies are actively implementing appropriate information security control in a cost effective manner to reduce the risk at the required level.

Information Security Governance is a subset of Information Technology Governance and both come under the purview of Corporate Governance. Information Security Governance has recently expanded so much that organisations employ a specific person to handle only Information Security issues (Von Solms, S. H., 2005) Figure 1 presents the relationship between the disciplines, and positions Information Security Governance with biometric recognition. Biometrics is the science of establishing the identity of an individual based on the physical, chemical or behavioral attributes of the person. The relevance of biometrics in modern society has been reinforced by the need for large-scale identity management systems whose functionality relies on the accurate determination of an individual’s identity in the context of several different applications. All three governance types are crucial to a successfully implemented Information Security Governance structure, since all three governance types have some impact on the discipline.

Figure 1.

Information security governance consisting of a number of disciplines