Information Security in Business and Government Sectors Aleksandar Klaić Protuobavještajna agencija Ulica grada Vukovara 33, 10000 Zagreb, Croatia E-mail:
[email protected]
A. Information Security Development The background of information security in business differs a lot from the one in the government sector in which it has a long tradition based on sound methods of organisation and management. The fundamental goal of a government is to achieve minimal security requirements within the state administration. Such approach determines security standards and minimal security criteria that widely cover all important government bodies. This is not easy to achieve in extremely heterogeneous government sector environment (police, military, ministries, offices etc.). The need for minimal security criteria in the government sector results from the concept of national security that involves not only security, police and military segments, but other government bodies as well. Such information security approach has been successfully deployed for decades based on traditional set of security fields such as physical security, personnel security, or data security. Along with information technology development and its increasing influence on government bodies, a new area the so-called technical security field, was introduced. So far autonomous technological fields, such as communication security (COMSEC), computer security (COMPUSEC) and technical security (TECSEC), come together in the technical security field usually called INFOSEC (Information System Security). 1980
1990
2000
Government Security EU Security NATO Security Business Standards
Experiences of developed countries show that financial investments and technological achievements are not enough for establishing successful process of building an information society. Therefore, in last few years, developed countries have intensively started to turn to information security programs in all segments of the society. General goal is achievement of confidence and security as the key categories for successful development of the information society. After the traditional model of society, information security creates foundation for building and organising the modern information society. For comparison, it could be used the traditional field of traffic. The separation of development and application of traffic technologies and resources from the traffic security is not possible. It is because preventive and repressive measures are mutually connected, equally developed, and present in the whole life of each citizen. The paper analyses traditional and modern information security approach, as well as similarities in the approaches of government and business sectors. The focus of the paper is primarily on the development of modern information society and the role of information security within.
APPROACH
Security Policy
I. INTRODUCTION
II. TRADITIONAL INFORMATION SECURITY
Security Evaluation
Abstract – Information security organisational and management models of both business and government sectors nowadays have much in common - in spite of their different traditional backgrounds. Beside similarities in contents, organisation and the way of governance, government and business sectors share common new trends that, for a number of reasons, bring them closer to each other in this complex area. Global standardisation process, development of information society, entering public e-services, and close connection among information society key factors – citizens, business and government sectors – call more intensively not only for common set of security criteria but also for process controls that will assure implementation of such criteria. Security standards that used to be typical only of strategic government projects and institutions, nowadays should be included in the policy of any successful private company. Organisational models focused on core business, market and clients become a necessity in modern government administrations. Regulations concerning security policies, procedures, guidelines or best practises are more and more alike in government and business sectors, while initiatives of public-private partnership clearly indicate that those two sectors are going to meet in the field of information security in the near future.
2010
Foundations for Information Society Development
Public-Private Partnership
DTI BS 7799 ISO/IEC 17799 ISO/IEC 15408
International Information Security Standardization
Common Criteria
Fig. 1. Information security development.
Fig.1. shows information security development in the last several decades that were crucial for creating the key concepts of today’s information security field. Only some of the processes, that are considered to be more important from today’s point of view are chosen to be shown in
Fig.1. These processes will be discussed throughout the paper. B. Government Sector The government sector was traditionally focused on organisational aspects of information security – first, because it was very hard to manage security in complex organisational environment and second, because of a long tradition in international governmental cooperation. Clear and sound organisational approach is the key solution to both problems. Therefore, the organisational interoperability concept is widely used in the government sector information security field. It is the key concept that ensures management and distribution of responsibilities in the complex government information security management system. Besides, it is very effective way to accomplish international cooperation (e.g. Interpol) or to run successfully an association (e.g. NATO). Organisational interoperability criteria in the field of information security are described in TABLE I using the simple functional model of generic organisational bodies that manage information security. TABLE I FUNCTIONAL MODEL OF GENERIC ORGANISATIONAL BODIES THAT MANAGE INFORMATION SECURITY Name abbr.
Description
NSA
National Security Authority, responsible for general security regulations on national level
IA
INFOSEC Authority, also known as National Communications Security Authority (NCSA), responsible for technical security regulations on national level
SAA
Security Accreditation Authority, responsible for accreditation of information and communication systems (usually hierarchy of bodies)
CISO/LISO
Central/Local Information Security Officers, responsible for controlling security implementations (hierarchical system of security coordinators in government bodies)
ITSOA
IT System Operational Authority, responsible for planning and implementation of information security measures
CERT
Computer Emergency Response Team, (usually hierarchy of bodies)
The functionalities described in TABLE I are assigned to appropriate national bodies using fundamental information security principles. Besides accomplishing interoperability issue, this approach recognizes the fact that the constitution of state authorities differs from one country to another. Typical principles applied in this process are: assignment of liability to the top level of an organisation (importance), distribution of development process, operational and control functionalities (stimulating
quality), coordinating work of security and civil sector (optimal use of resources) etc. Setting up of the information security management system, that complies to certain international integration processes, is based on explicit and implicit demands. Explicit demands result from national legislation, regulations and various integration documents that contain partnership goals of certain associations (e.g. NATO). Integration documents usually contain accreditation and certification methods for verification of the achievements. Implicit demands contained in legislation and regulations of a targeted association are harmonized during the association process based on the agreement between two parties. Process of harmonization consists of different fields that directly or indirectly deal with information security. Information security policy determines fundamental security principles and minimal security criteria that should be met by implementing such policy. Baseline policy document defines fundamental government strategy regarding security approach and implementation of the policy. Thus, security policy general goals and its extent for each security field are set up from the highest authority in the state. Baseline policy document also defines fundamental guidelines for management, fundamental security principles and provides references to documents that elaborate security policy (decrees, books of rules, guidelines and recommendations). Security policy consists of hierarchically structured set of regulations - from organisational and functional elaborations to implementation procedures. C. Business Sector The influence of information security concepts on the business sector became more visible and significant by the end of the 90’s. The initiative of the British Department of Trade and Industry (DTI) was pivotal. It has resulted in issuing British Standard BS 7799, a few years later adopted by International Standardisation Organisation as ISO/IEC 17799:2000. Information security within the business sector was traditionally related only to some industrial corporations involved with special government and military projects. Apart from them, only financial and assurance business sector had more significant experience in that field The increasing role of information security in the business sector came as a result of a growing number of threats coming from accelerated development of information and communications technology (ICT) and spreading of Internet. So, information security was at first reflected almost exclusively through the field of information technology (IT) security, with very little influence on business policies, but growing dependence of the business process on IT and accelerated development of the Internet market have prompted the integration of IT security into a much wider information security concept.
III. MODERN INFORMATION SECURITY TRENDS A. Information Society At the turn of the 20th and the 21st centuries new factors started to influence both government and business sectors. Development of information society has become the key
factor in the paradigm of a modern government administration that resulted in internal reorganisations, optimisation of business processes and computerization of state administration - with the goal of offering e-services to citizens and business sector. The traditional role of the state administration has thus changed - it has now become an active participant in the information society market. New regulations such as those related to the field of personal data privacy, freedom of information, public sector information reuse, as well as growing security demands caused by numerous new threats, give rise to enormous problems a modern state administration needs to deal with. It also needs to balance its approach among these new criteria of doing business in the information society market. Although just a preliminary step, computerization and interconnection of government bodies introduce a number of crucial initiatives for development of information society. The most important initiative is the standardisation of ICT and information security fields. This is especially important because of the extreme progress of technological development and actual processes of liberalisation and deregulation of telecommunications. The second important initiative is the integration of concepts and demands of information security into the foundations of the future information society. Consequently, by following the example of the traditional society, the organisation of the information society would be based on the prevention of potential threats and on the responsibility for development of protective and repressive measures. The third important initiative is interoperability issue with aspects of technical, semantic and organisational interoperability. To make use of potentials of the information society an adequate interoperability level of computer systems, networks and other infrastructure (technical interoperability) should exist, as well as the interoperability of applications in the sense of the precise meaning of information (semantic interoperability). In order to enable complete and actual exchange of information some other parameters have to be defined, like liability or compliance with regulations (organisational interoperability). B. Standardisation Standardisation process today is a process stimulated and supported by a government, in which the business sector and expert government bodies mutually participate in developing new contents. Traditional standardisation approach was focused primarily on the national adoption of international standards. Such approach is insufficient in the field of ICT because of the great development dynamics and complexity of the field. Computer technology development has led to proprietary standards, owned and developed by one or more companies with substantial market influence. Adopting proprietary standards by the government sector has an adverse effect of polarisation on the market and can lead to incompatibility with some national or international rules of market competition. Because of these problems with traditional and proprietary standardisation models, the government sector usually emphasizes the importance of open standards developed by non-profitable organisations like IETF (Internet Engineering Task Force). Having in mind described environment scheme, the task of the modern government sector is to create a national standardisation framework and to stimulate and coordinate
standardisation process. Main factors of standardisation process are business companies and expert government and public bodies. One of the modern ways to launch initiatives in this field is the program-oriented approach (e.g. Standardisation action plan of program eEurope). Its basic goal is to stimulate the use of open standards and to define set of standards in the program framework. Standardisation in the world today is affected by global threats like terrorism, but also by growing ICT threats. Such threats that jeopardize both traditional and informational societies, triggered off wide security standardisation processes in most developed parts of the world (e.g. ANSIHSSP in USA, Protection and Security of the Citizen in EU). Such processes become more and more integrated considering traditional and modern threats and approaches to security. For example, standardisation program ANSIHSSP (American National Standards Institute – Homeland Security Standards Panel) equally addresses traditional security field (Decontamination standards, Radiological and nuclear detectors, Antrax detectors etc.) and modern information security field (Cyber security standards, Interoperable communications, Certification of equipment and personnel, etc.). Described world standardisation trends exert influence upon traditional process of international standardisation. ISO has established Subcommittee for IT Security Techniques (SC 27) under the Committee for Information Technologies (JTC 1). The task of ISO/IEC JTC 1 SC 27 subcommittee is a long-term standardisation of generic methods and techniques for IT security. Fundamental goal of such international standardisation process is to guide the use of successful standardisation processes of developed states throughout the world (e.g. British BS 7799). High level of both international and national standardisations will have positive influence on industry. In that way development of devices, systems, and especially software, is guided according to sound demands and features. Standardisation influence on business process management has preventive impact on a number of possible security incidents. Also, standardisation lays the foundations for undertaking repressive measures. It is extremely important, especially during the time of establishing modern information society, to have some traditional repressive procedures in place (investigations, forensics and legislations). Furthermore, the influence of security standardisation process on the safety of a society in general is extremely important. It results with improving security culture and with raising security awareness in the society. Consequently, it all leads to greater confidence in modern technology and e-services of all three key factors of information society: citizens, business sector and government sector. C. Information Security and IT management Many standards and guidelines covering the related fields of IT management, information security and IT security have arisen during the second half of the 90`s. Same as ICT standardisation can hardly be separated from IT security standardisation (e.g. ISO/IEC JTC 1 SC27), so can management of information security hardly be separated from management in general. The influence of business management on information security is reflected through the security policy of a company or a government body. Security policy demands are real-
ized through elaboration of organisational and functional policies, and through the use of methods such as risk management, vulnerability assessment, and threat and impact analysis. These procedures result in placing organisational and technical controls in business processes. Most of these information security controls are realised with IT, and some of them are directly assigned to IT. This is why information security is closely related to IT, although it is a non-IT process. The foundation for information security management system (ISMS) pertains to the field of IT security techniques. The largest and the most complex part of IT security is network security. That is why network security is the most easily recognised part of information security. The relevance of network security is growing nowadays because of the global influence of Internet. For example, European Network and Information Security Agency (ENISA), founded in 2004, has IA or NCSA functionality (TABLE I) on EU level. 1. Corporate Level IT Governance (COBIT) 2. Information Security (ISO/IEC 17799) 3. IT Management (ITIL)
4. IT Security (ISO/IEC 15408/CC)
Fig. 2. Classification of information security and IT management standards.
Fig.2. shows classification of information security and IT management standards in four categories according to type of standard. A typical, widely known representative is chosen for each category. Mutual qualitative relationship is shown, primarily from the aspects of content overlapping and the scope of each category. COBIT (Control Objectives for Information and related Technology) is a set of guidelines for IT management and control, which connects IT management with the business goals. It was developed in 1996 by Information System Audit and Control Foundation (ISACF), and had initially been used by assurance community. Today, COBIT is supported by IT Governance Institute. ITIL (IT Infrastructure Library) is a set of guidelines that consists of the best practises in IT service management. It was created by the British Office of Government Commerce (OGC) with the aim of making the use of government IT resources more efficient. Today, it is widely used in the world and it is the official guideline for British standard BS 15000 (certification of personnel for IT management). ISO/IEC 17799:2000 is the international standard reached by the adoption of British standard BS 7799-1. It is the code of practice for information security management and the foundation for development of security standards and management practises of any organisation. Second part of British standard BS 7799-2 is
the specification of information security management system (ISMS), and any certificate on compliance can be obtained only with this second part of the standard. BS 7799 was developed in coordination with the British Department of Trade and Industry (DTI) and is today the most widely known business security standard in the world. ISO/IEC 15408:1999 is international standard based on Common Criteria (CC) standard for security evaluation of products (Common Criteria for Information Technology Security Evaluation). CC standard was initiated by a few developed countries (Canada, France, Germany, Netherlands, United Kingdom and United States), and was based on ITSEC (EU standard from 1991) and some national standards of the countries involved. This standard is the basis for a common and comparable evaluation of IT security, focusing on the security of systems and products. Partly because of the long tradition, and partly because of the mentioned factors in modern information society development, most of the business standards for management and security of information technology are based, or at least initiated, by government bodies. D. Information Security Policy Security policy is traditionally formed as a hierarchically structured set of documents, which is the basis for the implementation of information security management system (ISMS). Analysis of the modern information security standard like BS 7799, clearly shows that the implementation of the standard results in a similar set of documents. Based on this standard it is necessary to develop hierarchically structured set of documents. ISMS implementation is based on this set of documents. This shows the influence of government sector on modern information security standards. Standards are, more or less, frameworks for the best practises traditionally used in government sector. There are several layers in the hierarchical set of documents, which could, according to TABLE II (Information Security Regulations), be divided to: top-level, implementation-level, executive-level, and agreement-level. Top-level regulations (General legislation, National information security policy / Company Policy Document) describe general goals, scope and main principles of information security, and show the commitment and the support of the highest authority in the implementing process of information security. Implementation-level regulations (Decrees and Books of Rules / Organizational and Functional Policies) define the framework for information security management based on the selected goals, scope and main principles. Executive-level regulations (Procedures) define content for management framework in specific organisational environment (government body, company, department, etc.). Agreement-level regulations consist of standards, recommendations, guidelines, and different kinds of public-private partnerships. This kind of documents is often used as a flexible policy element for executive-level documents. Such documents could be a part of higher levels documents, based on formal procedures and decisions. Application of security policy ensures minimal security criteria and compliance with different integration policies and legislation demands. Such demands are not typical for government sector only, but for business sector as well. Examples are processes of cooperation, merging or taking
over of companies, especially in international environment. Applying information security standards ensures common solutions and comparable information security management systems (ISMS). It is much simpler to conduct mentioned processes in standardised business environment. Compliance with regulation may arise as a result of national legislation (e.g. Health Insurance Portability and Accountability Act – HIPAA in United States) or as specific demands of some business sector (e.g. Basel II in financial sectors of most developed countries). The best way to comply with legislation demands or external policies is to apply an information security standard. Part of the information security policy is care for strategic goals. Some of the more important ones are security education and security awareness. Such approach results in higher degree of confidence in modern e-services among citizens, which is one of the key factors of information society development. Security education and awareness are equally important in business sector. Typical problem is hiding security incidents because of the fear of bad business reputation. The improvement in the area of security awareness is possible only with coordinated efforts and activities of both government, and business sectors. Information security is a process that has to be built in the foundations of modern information society and it calls for participation of all society factors: citizens, business sector, and government sector. Fig.3. shows process view of information security on national level, in comparison with usually deployed business process Plan-Do-CheckAct (PDCA) lifecycle.
placing common partnership goals and initiatives of public and private sector. The goals are national and crosssectoral, from the business point of view. National Cyber Security Partnership (NCSP) in the United States is a good example. It brings together the representatives of government, industrial, and academic sectors. As opposed to the goals of legislation demands, the goal of publicprivate partnership is the agreement of involved parties (common set of rules). Information security field is a complex one because it includes several different approaches: legal, technology and policy. Policy approach is the most important one, because it connects legal and technology aspects to specific business or government environment. The application of an information security standard is the simplest way for building and implementing information security policy and complying with legislation demands. E. Information Security Categories The functional model of generic organisational bodies shown in TABLE I, determines management authorities of each body. Hierarchical set of documents that describes information security management system (ISMS) is shown in TABLE II (Information Security Regulations). TABLE II COMPARISON OF INFORMATION SECURITY CATEGORIES IN GOVERNMENT AND BUSINESS SECTORS The Basis Categories
Gov. Sector
Business Sector
Preventive Process Part
General Legislation like personal data protection, freedom of information etc.
Plan Security Policy, Vulnerability Assessment, Threat/Impact Analyzes
Do
Act Policy Analyzing, Criminal Law
Information Security Lifecycle Process
Security Evaluation, Risk Management
Information Security Regulations
Security Incidents Response, Forensics
Management Bodies
Government, NSA, IA, ITSOA, SAA
Management Board, Chief Security Officer, Consultants/IT dept., IT dept./Consultants Authorized Third Party
Data Owner
Gov. Body / Functionary or Head
Company / CEO and Management Board
Infrastructure Owner
Gov. Body / IT dept. or Gov. Infrastructure Agency
Company / IT dept. or External Company
Fig. 3. Process view of information security on national level in comparison with PDCA cycles.
There are some legislation demands on business operations that arise as a consequence of business globalisation process (e.g. corporative management and Sarbones-Oxley Law in the United States). Such legislation demands proceed from the position of national market protection in cases of business disasters (e.g. Enron). As a result, companies must comply with the law, which leads to the implementation of certain security controls in their business processes (organisational and technical level). Public-private partnership will have important role in the development of information society. Such partnership is initiated by government sector with the intention of
Company Policy Document, Organizational Policy, Functional Policy, Procedures
ICT and information security standards, Open standards, Recommendations, guidelines (national or international)
Check
Repressive Process Part
National inf. security policy, Decrees, Books of Rules, Procedures
To fully define the ISMS, information owner and infrastructure owner should be defined. The concept of owners determines the liability issue throughout the information and infrastructure lifetime. The liability issue is equally
important in preventive and repressive parts of information security process (Fig.3.). In the preventive part it is used as the principle for separation of duties, and in the repressive part it is used as the basis for legal investigation procedures. TABLE II summarizes four key information security categories comparing these categories in government and business sectors. Despite some minor differences, the main principles of information security in government and business sectors are very similar. F. Information Criteria Process of information security considers information as an asset. Information must be a part of the inventory like any other asset (physical assets, software and services). There should also be some requirements and criteria for information. TABLE III shows the three groups of criteria.
The relationship between processes and resources, as well as security requirements (confidentiality, integrity and availability) traditionally existed. Modern approach puts the accent on expanding the information criteria. Compliance becomes regular criterion of today’s information security standards. Reliability criterion is more and more present, while quality requirements are the final goal of all organisational and management processes. There are plans for further development of ISO information security standards, primarily introduction of measurement and metrics. It will be the key step in connection of information security standards with standards of quality like ISO 9000. As important as quality requirements are, they cannot be attained without solid foundations built on security requirements of confidentiality, integrity and availability. Security criteria are primarily related to the basic resources (people, data, technology, applications and facilities) that are the foundation of both traditional and modern information society.
TABLE III INFORMATION CRITERIA
IV. CONCLUSION Requirements
Information criteria Confidentiality Integrity Availability Compliance Reliability Effectiveness Efficiency
Security Fiduciary Quality
These requirements and criteria are recognizable from the process of information security and the standardization in general. In the COBIT guidelines the relationship is placed among three parameters: processes, resources, and information criteria. In Fig.4. the relationship of these parameters and information criteria is linked to the development of information security field. Information Criteria
ar ci du Fi
y Q
lity ua
Processes
Data
People
IT Processes
Domains (PDCA)
Facilities
Traditional Approach
Activities
R
Technology
S
ity ur ec
r ou es
Fig. 4. COBIT cube [1] and the development of information security field.
s ce
Application Systems
Information Society
The most ambitious concept of building of an information society in EU is based on the described policies and methods of information security. The concept is based on well known and repeatedly used and tested policies and methods. These methods however, are used for the first time in such co-ordinated way. In that way it has strategically opened the space for development of an integral information society. While relying on traditional security policy approach, EU recommends and stimulates the use of international and open standards. It brings the government and the business sectors into harmony, as much as the process of public-private partnership does. There are strong initiatives and activities of the United States in the field of information security, especially after tragic terrorist disaster on the 11th of September 2001. It will additionally strengthen and speed up the process of building up of the information society. By the end of the decade this trend will be completely well-defined, as far as the organisational models of government bodies and business companies are concerned. It means that the demands of the global integration processes and the global market will be fully established, just like the expectations of all participants, countries and companies.
REFERENCES [1] Expert Committee for Information Security, National Information Security Program of the Republic of Croatia, www.e-hrvatska.hr, 2005. (in Croatian) [2] COBIT Mapping, Overview International IT Guidance, IT Governance Institute, USA, 2004. [3] Commission of the European Communities, Network and Information Security: Proposal for a European Policy Approach, COM (2001)298 final, Brussels, 2001. [4] ISO/IEC 17799:2000, ISO/IEC, Switzerland, 2000. [5] BS 7799-2:1999, BSI, London, 1999. [6] Common Criteria for Information Technology Security Evaluation, V2.1, Project Sponsoring Organisations, 1999.
