|By Christos K. Dimitriadis||
|February 9, 2011 06:00 AM EST||
As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the "preservation of confidentiality, integrity and availability of information."  Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.
Historically, information security has been addressed primarily as a technical issue. Preventive controls, such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls, such as intrusion detection systems or security monitoring platforms, have formed the basic components of security architecture. Often, the technical controls are complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.
This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems remain unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management. The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.
Information Security Defined
To define information security in an organisation, one must understand its business objectives, identify stakeholders and link them to information protection attributes. Organisations have to be trusted to achieve customer acquisition and retention, which directly affect their revenue. This trust is a key success factor that is directly related to:
- Business integrity-Each business decision is conducted as described in its official literature. It is fair to the customer and inspires trust. Information integrity (avoiding data manipulation) is a key information security component related to customer trust.
- Customer asset protection-Customers need to be confident that their money, credit card numbers and bank account numbers are safe, especially in online transactions, where their funds are essentially electronic. Customers need to trust an organisation to secure their financial assets; confidentiality, integrity and availability are crucial security parameters.
- Customer privacy-Customers provide their personally identifiable information (PII) to a whole host of ‘trusted' sources. As in customer asset protection, trust in the business is important for making them feel comfortable with sharing such information. Trust is particularly important when dealing with large amounts of money because customers have to feel safe and also that their personal data have been protected.
Providing services to the public also has societal and political facets. Businesses must adhere to a governmental regulatory and legal framework. The provision of secure and fair outlets to citizens is a matter of social responsibility. Moreover, the government is a shareholder of business (directly or indirectly through taxing); thus, business success affects the corresponding governmental revenue.
The aforementioned facts are clarified in relation to information security when the drivers of shareholders' trust are studied in more detail. For example:
- Each licensed business has to comply with rules and terms of the license, which in turn have general or more detailed information protection requirements. These vary from general statements for fairness, antifraud rules and service availability requirements to more detailed technical controls such as network security rules, operating security policies or certification requirements. Shareholders need to be confident that a business complies with the license obligations and, more generally, the legal and regulatory framework, since this is a main corporate viability factor.
- In competitive business environments, information security acts as a competitive advantage that, in turn, ensures customer acquisition. Shareholders trust a business if it operates as a competitive corporation, and due to the importance of protecting its information from breaches, information security becomes a competitive parameter.
In relation to the business role of information security, drivers should be:
. Corporate viability, which is driven by compliance of license terms
. Competitive advantage, which ensures customer acquisition
. Brand name value preservation, which ensures customer retention
. Legal and regulatory compliance (e.g., the integrity of financial records and PII protection)
- Customers' trust:
. Business integrity
. Service availability
. Protection of the confidentiality of customers' sensitive information
Using this definition of information security for the business sector, a holistic approach is required for addressing the information security requirements of each unique organisation. This requires a detailed business analysis for embedding information security into the specific business processes and also for addressing the human factor and minimizing the uncertainty it introduces. International security standards provide a solid base for information security from a business perspective.
THE INFORMATION SECURITY STANDARDS LANDSCAPE
In 2006, the Security and Risk Management Committee of the World Lottery Association (WLA)2 published the most recent version of its Security Control Standard (SCS). This standard describes a number of information security controls (technical and procedural) tailored to the lottery sector. Indicatively, it includes rules regarding the management of lottery draws and protection of prize money and Internet gaming systems.
The Security Control Standard (SCS) is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO), which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.
ISACA has published a set of information technology (IT) auditing standards and the Risk IT: Based on COBIT framework, which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT, a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security, the first publication released under the Business Model for Information Security (BMIS), which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.
Other standards include the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST), which are documents of general interest to the computer security community. The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.
The modern business sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.
Case Example from the World Lottery Association
In this particular example the ‘customer', so defined by the business model, is identified as the ‘player'. In this situation the definition of information security, specific to the lottery model, also becomes altered. ‘Business integrity' becomes ‘game integrity', ‘customer asset protection' becomes ‘player asset protection', and ‘customer privacy' is therefore ‘player privacy'. In terms of security the needs of a customer and player are much the same; however, due to the proactive nature of a ‘player', whose object is to win prizes rather than conduct typical transactions, the model of risk management must be appropriately tailored. Trust is again the key factor. When a member of the public makes the transition from ordinary citizen to ‘player' on a gaming site, it is vital to ensure that they are aware of the official rules of the specific game. Payouts and prizes, and the procedure for claiming them, must fully conform to the official literature set out by the gaming site. There should be no cases of ambiguity as this is a sure-fire way of discrediting a brand and losing player trust and thus, their custom.
To become an online participant in lotteries and other gaming sites an individual must disclose their sensitive details; this is very often the only means by which one can become a ‘player'. Being able to trust a lottery or gaming site with sensitive details should, therefore, be the foremost concern of a player as there is little point in worrying about payout procedure when compromised details could mean a bigger loss than any potential gain.
The WLA's Security Control Standard takes the above factors into consideration- perfectly illustrating how the security of data can be adapted to a unique business situation.
Studying the information security standards horizontally, a number of basic processes/steps that lead to the identification of information security requirements are:
- Step 1: Business impact analysis-Each business process is recorded and analyzed in terms of business impact from the realization of a possible security threat.
The business must answer a number of questions to calculate the impact of security breaches, including:
- How much would this cost the business in monetary terms?
- What would be the indirect costs (e.g., from reputation loss) if information is sold?
- What would the legal implications be?
Business processes are then prioritized based on an impact scale that identifies the most critical issues.
- Step 2: Risk analysis-During this process, the possibility for the occurrence of a security incident is calculated, based on a database of security weaknesses. The risk analysis takes into account technical and procedural parameters, such as:
- Are there technical controls in place to safeguard customer data?
- Do procedures exist to complement the technical security controls?
- Step 3: Risk management-The result of the risk analysis is a prioritization of risk in relation to the impact level (the result of the business impact analysis) and the identification of possible security measures for addressing the risk. The risk management process-the selection of appropriate security measures for addressing the risk or for risk transferring or acceptance-is determined by the management of the organisation.
- Step 4: ISMS implementation-After the controls have been selected, they should be correlated under a common information security management system (ISMS). This correlation requires deep understanding of the operation of the organisation; consideration of human, cultural, technical, business and external factors; and continuous improvements.
Business Model for Information Security
One of the most recent information security frameworks that addresses information security from a business point of view is ISACA's BMIS.
The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security) are necessary for understanding how BMIS works:
- Organization design and strategy-An organization is a network of people, assets and processes interacting with each other in defined roles and working toward a common goal.
- People-The people element represents the human resources and the security issues that surround them. It defines who implements (through design) each part of the strategy. It represents a human collective and must take into account values, behaviors and biases.
- Process-Process includes formal and informal mechanisms (large and small, simple and complex) to get things done.
- Technology-The technology element is composed of all of the tools, applications and infrastructure that make processes more efficient.
To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology.
Information security will be understood, provide added value and effectively contribute to the operation of an organization only if it is designed and implemented as a core ingredient of the business strategy. Stakeholder, shareholder and customer trust are the key ingredients of information security; organizations from all sectors should identify such key ingredients in order to provide a business definition to information security.
Enthusiasm for the Internet of Things has reached an all-time high. In 2013 alone, venture capitalists spent more than $1 billion dollars investing in the IoT space. With "smart" appliances and devices, IoT covers wearable smart devices, cloud services to hardware companies. Nest, a Google company, detects temperatures inside homes and automatically adjusts it by tracking its user's habit. These technologies are quickly developing and with it come challenges such as bridging infrastructure gaps,...
May. 23, 2015 02:45 AM EDT Reads: 6,608
NuoDB just introduced the Swifts 2.1 Release. In this demo at 15th Cloud Expo, Seth Proctor, CTO of NuoDB, Inc., discussed why scaling databases in the cloud is challenging, why building your application on top of the infrastructure that is designed with this in mind makes a difference, and what you can do with NuoDB that simplifies your programming model, your operations model.
May. 23, 2015 02:15 AM EDT Reads: 4,332
You use an agile process; your goal is to make your organization more agile. But what about your data infrastructure? The truth is, today's databases are anything but agile - they are effectively static repositories that are cumbersome to work with, difficult to change, and cannot keep pace with application demands. Performance suffers as a result, and it takes far longer than it should to deliver new features and capabilities needed to make your organization competitive. As your application an...
May. 23, 2015 02:00 AM EDT Reads: 3,342
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
May. 23, 2015 01:15 AM EDT Reads: 4,247
As enterprises engage with Big Data technologies to develop applications needed to meet operational demands, new computation fabrics are continually being introduced. To leverage these new innovations, organizations are sacrificing market opportunities to gain expertise in learning new systems. In his session at Big Data Expo, Supreet Oberoi, Vice President of Field Engineering at Concurrent, Inc., discussed how to leverage existing infrastructure and investments and future-proof them against e...
May. 23, 2015 01:00 AM EDT Reads: 3,037
Cloud Expo New York is happening from June 9 - 11. This event brings together the worlds of Cloud Computing, DevOps, IoT, WebRTC, Big Data and SDDC. We hope to see you there-members of the Blue Box team will exhibit in booth 218 next to the DevOps area. Plus, our Chief Product Officer, Hernan Alvarez, will present his talk "The Cloud Has a Down-and-Dirty Lining" as part of the Operations track in the DevOps Summit portion of the event on June 9 at 11 am. Learn more about his session her...
May. 23, 2015 12:00 AM EDT Reads: 2,827
Once the decision has been made to move part or all of a workload to the cloud, a methodology for selecting that workload needs to be established. How do you move to the cloud? What does the discovery, assessment and planning look like? What workloads make sense? Which cloud model makes sense for each workload? What are the considerations for how to select the right cloud model? And how does that fit in with the overall IT transformation?
May. 23, 2015 12:00 AM EDT Reads: 4,233
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
May. 22, 2015 11:30 PM EDT Reads: 2,611
When OpenStack aficionados gather in Vancouver in a couple of weeks, one of the hot topics will be containers, a “new” alternative to virtualization. Actually, container technology has been around for a couple of decades, but it is trending among the IT community at a fever pitch these days and stands to have a huge impact on the future of cloud computing.The appeal of container technology is easy to appreciate. In a nutshell, containers can enable you to run many more applications on the same h...
May. 22, 2015 10:00 PM EDT Reads: 1,894
Docker is an open platform for developers and sysadmins of distributed applications that enables them to build, ship, and run any app anywhere. Docker allows applications to run on any platform irrespective of what tools were used to build it making it easy to distribute, test, and run software. I found this 5 Minute Docker video, which is very helpful when you want to get a quick and digestible overview. If you want to learn more, you can go to Docker’s web page and start with this Docker intro...
May. 22, 2015 09:00 PM EDT Reads: 1,830
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
May. 22, 2015 05:30 PM EDT Reads: 4,063
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises a...
May. 22, 2015 05:00 PM EDT Reads: 2,383
Over the years, a variety of methodologies have emerged in order to overcome the challenges related to project constraints. The successful use of each methodology seems highly context-dependent. However, communication seems to be the common denominator of the many challenges that project management methodologies intend to resolve. In this respect, Information and Communication Technologies (ICTs) can be viewed as powerful tools for managing projects. Few research papers have focused on the way...
May. 22, 2015 05:00 PM EDT Reads: 1,763
As the world moves from DevOps to NoOps, application deployment to the cloud ought to become a lot simpler. However, applications have been architected with a much tighter coupling than it needs to be which makes deployment in different environments and migration between them harder. The microservices architecture, which is the basis of many new age distributed systems such as OpenStack, Netflix and so on is at the heart of CloudFoundry – a complete developer-oriented Platform as a Service (PaaS...
May. 22, 2015 05:00 PM EDT Reads: 1,629
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. The DevOps Summit at Cloud Expo – to be held June 3-5, 2015, at the Javits Center in New York City – will expand the DevOps community, enable a wide...
May. 22, 2015 03:00 PM EDT Reads: 1,924
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
May. 22, 2015 02:30 PM EDT Reads: 1,534
Cloud Expo, Inc. has announced today that Andi Mann returns to DevOps Summit 2015 as Conference Chair. The 4th International DevOps Summit will take place on June 9-11, 2015, at the Javits Center in New York City. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited to help the great team at ...
May. 22, 2015 02:00 PM EDT Reads: 1,635
There is no question that the cloud is where businesses want to host data. Until recently hypervisor virtualization was the most widely used method in cloud computing. Recently virtual containers have been gaining in popularity, and for good reason. In the debate between virtual machines and containers, the latter have been seen as the new kid on the block – and like other emerging technology have had some initial shortcomings. However, the container space has evolved drastically since coming on...
May. 22, 2015 12:30 PM EDT Reads: 1,435
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers ...
May. 22, 2015 12:00 PM EDT Reads: 2,009
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, will discuss IoE and the enormous opportunities it provides to public and private firms alike. She will shar...
May. 22, 2015 12:00 PM EDT Reads: 2,062