In this Section an outline will be given on the discipline of Information Security and some of its related standards. Special attention will be paid to the ISO/IEC 17799 process standard as this information security management standard formed the basis of this case study.
The objective of Information Security is (ITGI, 2001, p 9): “protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.” In Table 1 these concepts are clarified.
Table 1. Objectives of Information Security (ISO/IEC 17799, 2000, p. VII)
| Concept | Description |
| Confidentiality | Ensuring that information is accessible only to those authorized to have access to it. |
| Integrity | Safeguarding the accuracy, completeness and timeliness of information and processing methods |
| Availability | Ensuring that authorized users have access to information and associated assets when required |
ISACF (2001) adds to these objectives that business transactions as well as information exchanges between enterprise locations or with partners can be trusted (authentication1 and non-repudiation2). Furthermore, they list six major activities involved in information security management:
- 1.
Policy Development—using the security objective and core principles as a framework around which to develop the security policy;
- 2.
Roles and Responsibilities—ensuring that individual roles, responsibilities and authority are clearly communicated and understood by all;
- 3.
Design—developing a security and control framework that consists of standards, measures, practices and procedures;
- 4.
Implementation—implementing the solution on a timely basis, then maintaining it;
- 5.
Monitoring—establishing monitoring measures to detect and ensure correction of security breaches, such that all actual and suspected breaches are promptly identified, investigated and acted upon, and to ensure ongoing compliance with policy, standards and minimum acceptable security practices;
- 6.
Awareness, Training and Education—creating awareness of the need to protect information, providing training in the skills needed to operate information systems securely, and offering education in security measures and practices.
In the next section a number of well recognized and accepted Information Security standards are listed and one specific standard will be discussed in more detail. Then the relationship between information security standards and IT governance in general will be addressed, followed by the management and the value of these standards.