Managing IT Security Relationships within Enterprise Control Frameworks

Introduction

Security is a subprocess that impacts with different degrees on all processes within an organization structure. A security strategy is often described as defense in depth and conveys a metaphorical image of structured rigidity in the face of assessed risks. An effective business security strategy has elements of defense in depth theory but also other philosophical insights that include flexibility and rapid response. In the CobiT control framework security is defined as “Ensure Systems Security” (Delivery & Support (DS 5)) (ITGI, 2007a). The goal of security is to ensure systems security “to safe guard information against unauthorized use, disclosure or modification, damage or loss.” In the ITIL control framework security is described as “Security Management” and has three distinct roles associated with the management (van Bon, 2004b). Its objective is to protect “the value of information in terms of confidentiality, integrity and availability”. Both of these control frameworks acknowledge defense in depth and in the ITIL security management guidelines an additional discussion of flexibility is found: “While it is important to protect information assets with traditional stronghold / fortress approaches it has become equally important to have a skirmish capability when it comes to skirmish events. … The organization must have the capability to rapidly put resources on the ground where trouble is before that trouble has a chance to spiral out of control” (van Bon, 2004a, pp. 181-183).

Protecting information strategically is consequently more than establishing defense in depth and related to strategic positioning and repositioning. Positioning occurs within the enterprise subsystem and in relation to the enterprise system as a whole. In the control frameworks of CobiT and ITIL careful specification of the security process is made and elaboration of the interrelation of the process to others. In CobiT the security process (defined as DS 5; see ITGI, 2007a; 2007b; 2007c) has three input processes, direct input to nine output processes, and influence on “other IT processes”. Similarly in the ITIL control framework security management has relationships with eleven other management processes. The ITIL framework is more explicit as to the nature of the relationship and the consequence of the security process than is CobiT and the CobiT management guidelines. The importance of the security process is emphasized in both control frameworks in relation to the outcomes for the enterprise system. It would appear then that an understanding of process management for successful process outputs is more than the systematic control of one process and as it is acknowledged in the literature, security management has an enterprise wide (across all processes) mandate (Siponen, 2000). It is contended that the current elaboration of the enterprise wide management is lacking in specification for variation in process relationships, variation in impacts, and guidelines for flexible positioning. Analysis and clarification of variation can add knowledge to what is already advocated in the control literature (ITGI, 2005a; Straub & Welke, 1998).