eBook - ePub
Information Security
Policy, Processes, and Practices
Seymour Goodman,Detmar W. Straub,Richard Baskerville
This is a test
- 288 Seiten
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
Information Security
Policy, Processes, and Practices
Seymour Goodman,Detmar W. Straub,Richard Baskerville
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
Information security is everyone's concern. The way we live is underwritten by information system infrastructures, most notably the Internet. The functioning of our business organizations, the management of our supply chains, and the operation of our governments depend on the secure flow of information. In an organizational environment information security is a never-ending process of protecting information and the systems that produce it.This volume in the "Advances in Management Information Systems" series covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. The book covers how to strategize and implement security with a special focus on emerging technologies. It highlights the wealth of security technologies, and also indicates that the problem is not a lack of technology but rather its intelligent application.
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Information Security als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Information Security von Seymour Goodman,Detmar W. Straub,Richard Baskerville im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Volkswirtschaftslehre & Ökonometrie. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
PART I
THE TERRAIN OF INFORMATION SECURITY
CHAPTER 1
FRAMING THE INFORMATION SECURITY PROCESS IN MODERN SOCIETY
Abstract: Describing the layout of the entire volume, this chapter explains how its parts emerged from an organic conception of organizations struggling to determine what their information security needs were and how to create viable security policies. Organizational issues exist within the context of both national and international developments in InfoSec and the final part deals with these critical arenas. Technological trends will dictate responses to the possibilities of security violations, and there are clear directions for such circumstances in the case of ubiquitous computing. The final chapter summarizes and reformulates the new directions that researchers should take in InfoSec.
Keywords: Information Security Processes, Policies, Practices, Guidelines, Technical Versus Managerial InfoSec Research, Key Research Questions, Future Research Directions, Landscape of Information Security
The volume covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. It covers how to strategize and implement security, with a special focus late in the volume on emerging technologies.
It shows wherein lie our strengths. It also shows where there are weaknesses. It points out our wealth of security technologies, particularly since the dawn of the Internet and 9/11. It likewise indicates as clearly as possible that the likely problem today is not the lack of technology, but its intelligent application. The management of information security is in its infancy, whereas the development of security technologies has reached a much more advanced state of maturity.
In attempting to cover the terrain of a broad subject that already has had a long history (however checkered), it is inevitable that much will be left out. So the subject matter selected for this volume calls for a rationale since there must be reasons why some topics were chosen and others were not, and the tale of the choosing says something about what should be valued most highly.
Before engaging in this exercise, though, it is useful to define and elaborate the term “information security” (InfoSec). The term “information” receives the initial stress since we feel strongly that the rendering of data into meaningful statements and comparisons, which we take to be information, has received light attention in both the academic and trade presses. Most of the work on security has been at the technological level, the level of protecting data bits and bytes from unauthorized interception and misuse while little work has focused on protecting these binary digits once they have been manipulated, formatted, and stored for managerial use. There are volumes of work on encryption algorithms and how to make these unbreakable, for example.1 Hence the prevalence of terms in this technical literature on technologies described under rubrics like “data/database security,” “computer security,” “cyber/Internet security,” and “network security.”
In short, information is a managerial and organizational tool, and the protection of information from the managers’ (and organizations’) point of view has not been subject to the same intense scrutiny as have security technologies. Not only are the policies that protect this information much less frequently discussed, but the processes that lead to effective policies are even less favored by scientists and practitioners. Broad social issues, such as international laws, standards, and agreements that affect security of information, are part of a wide range of environmental issues that also receive scant attention. There are numerous technical working papers dealing with such matters, but assessments of this scattered work have not been forthcoming. Many of these papers have direct organizational impacts, but even those with indirect effects bear watching and understanding.
Focusing on organizational needs, therefore, is the first way in which we scoped the topics covered. What we know at this time and where research should be moving in the future to address lightly examined areas represent the basic goals of the volume.
The term “security” cries out for some definition as well. By security, we most often mean the protection of assets from unauthorized use, but the term is often extended to cover situations where mechanisms to protect assets are similar whether the damage that is inflicted comes from either a malicious, accidental, or a natural source. Organizations need to protect themselves from information losses whether these are caused by a terrorist or a tornado. Either will physically wipe out a firm’s data center. The recovery procedures are only distinctive in terms of whether insurance or criminal investigations require a forensic analysis. In both cases, there would be loss of life of mission-critical employees as well as loss of information and the ability to produce information. As tragic as such events are, it would be a further loss if stakeholders who depend on the firm—employees and their families, shareholders, suppliers, customers, and the surrounding communities—were to continue to suffer from organizational unpreparedness.
Thus security as we define it includes business continuity planning, especially regarding information. Malicious elements need to be considered in scenarios in this planning effort, but equal attention must be placed on accidental and natural causes.
PARTS AND CHAPTERS
The perspective taken in this book is at an organizational level. Whether governmental, commercial, not-for-profit, or other, decision makers in organizations confront the need to specify organizational policies, define organizational processes, and manage organizational practices that assure the organization’s information security. Table 1.1 lists an inventory of the various influences that drive these decisions.
Perhaps at the most global level are the regulations that emerge from non-governmental organizations. These include the recommended standards and practices of professional organizations (such as the Information Systems Audit and Control Association, which promotes an InfoSec framework called COBIT), industry standards and practices (such as the MasterCard and Visa collaboration that mandated a payment card industry data security framework), standards set by international agencies such as the International Standards Organization, and international agreements on issues such as personal data privacy through agencies like OECD and the UN.
Governments, aside from being organizations that must set their own internal policies, processes, and practices, are organizations that drive laws and regulations requiring conformity within their territorial borders. These laws and regulations define computer crimes, including insufficient protection of private personal data and insufficient transparency of information necessary for informed public decisions about organizations (such as disclosure of investment risks). With their mandate for national security, governments may regulate advanced information technologies with military applications (such as cryptography) and set national policies to establish sufficient information security in key industry groups like finance, transportation, and energy. Such government regulation drives processes, policies, and practices in a very widespread range of commercial and private organizations (the effects of which may even be extraterritorial). Even the setting of internal government organizational processes, policies, and practices may have a widespread effect, as these may drive conforming requirements of government contracting organizations, or become regarded as emblematic standards of “due care” in InfoSec.
Table 1.1
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Non-governmental regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Organization |
| Economics of security |
| Costs and benefits |
| Functionality—Security tension (guns or butter) |
| Ethics of security |
| Mandated or optional (due care) |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious circle |
There are also internal drivers that determine organizational policies, processes, and practices. For example, improvements to organizational InfoSec usually require resources; an investment in InfoSec is therefore an economic decision. Costs and benefits are managed through risk analysis, and like any investment decision, improvements in InfoSec move forward under the shadow of their opportunity costs. Should the organization invest in improved information systems performance or instead invest in improved security for its existing systems? The “guns or butter” nature of the decision often pits systems performance advances against systems security advances. These conflicting goals bring forward the ethical dimensions of decisions about organizational InfoSec policies, processes, and practices. Where InfoSec features are mandated by regulations, the ethical aspects are clear. But in organizational systems where InfoSec is not required by regulation, organizations are left to follow their own ethical lights: instituting InfoSec policies, processes, and practices because these represent the measure of due care that a wide range of stakeholders would regard as responsible management of information.
Information technology is itself a driver of InfoSec management processes. Not only do newer technologies bring challenging new problems for security, but security for existing technologies is a vicious circle of technical developments. New InfoSec technologies lead adversaries to develop new techniques to defeat the new security technologies, forcing the need for even newer and even better InfoSec technologies. This is a constant race for effective technical solutions in areas like computer security, network security, and cryptology.
Table 1.2
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Part I. The Terrain of Information Security |
| Part II. Security Processes for Organizational Information Systems |
| Organization |
| Economics of security |
| Costs and benefits |
| Functionality—Security tension (guns or butter) |
| Ethics of Security |
| Mandated or optional (due care) |
| Part III. Processes for Securing the Extra-Organizational Setting |
| Non-Government Regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government Regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Part IV. Forces and Research Leading to Future Information Security Processes |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious Circle |
Indeed, the vicious circle involves more than just technology. The causal directions of the entire set of drivers are not straightforward. Various InfoSec events, like compromises and massive losses, occur within their contemporary frameworks, including the drivers noted in Table 1.1 and the various organizational InfoSec policies, processes, and practices. Such events lead to revisions in regulations and organizational values, as well as technologies. As a result, these drivers also set the stage for their own revisions, a form of self-remaking or autopoisis.
How does the work at hand fit into this landscape? We can ...
Inhaltsverzeichnis
- Cover
- Half Title
- Title Page
- Copyright Page
- Table of Contents
- Series Editor’s Introduction
- Part I. The Terrain of Information Security
- Part II. Security Processes for Organizational Information Systems
- Part III. Processes for Securing the Extra-Organizational Setting
- Part IV. Forces and Research Leading to Future Information Security Processes
- Editors and Contributors
- Series Editor
- Index
Zitierstile für Information Security
APA 6 Citation
Goodman, S., Straub, D., Baskerville, R., & Baskerville, R. (2016). Information Security (1st ed.). Taylor and Francis. Retrieved from https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf (Original work published 2016)
Chicago Citation
Goodman, Seymour, Detmar Straub, Richard Baskerville, and Richard Baskerville. (2016) 2016. Information Security. 1st ed. Taylor and Francis. https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf.
Harvard Citation
Goodman, S. et al. (2016) Information Security. 1st edn. Taylor and Francis. Available at: https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf (Accessed: 14 October 2022).
MLA 7 Citation
Goodman, Seymour et al. Information Security. 1st ed. Taylor and Francis, 2016. Web. 14 Oct. 2022.