eBook - ePub
Information Security
Policy, Processes, and Practices
Seymour Goodman,Detmar W. Straub,Richard Baskerville
This is a test
- 288 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
Information Security
Policy, Processes, and Practices
Seymour Goodman,Detmar W. Straub,Richard Baskerville
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
Information security is everyone's concern. The way we live is underwritten by information system infrastructures, most notably the Internet. The functioning of our business organizations, the management of our supply chains, and the operation of our governments depend on the secure flow of information. In an organizational environment information security is a never-ending process of protecting information and the systems that produce it.This volume in the "Advances in Management Information Systems" series covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. The book covers how to strategize and implement security with a special focus on emerging technologies. It highlights the wealth of security technologies, and also indicates that the problem is not a lack of technology but rather its intelligent application.
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Information Security est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă Information Security par Seymour Goodman,Detmar W. Straub,Richard Baskerville en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Volkswirtschaftslehre et Ăkonometrie. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
PART I
THE TERRAIN OF INFORMATION SECURITY
CHAPTER 1
FRAMING THE INFORMATION SECURITY PROCESS IN MODERN SOCIETY
Abstract: Describing the layout of the entire volume, this chapter explains how its parts emerged from an organic conception of organizations struggling to determine what their information security needs were and how to create viable security policies. Organizational issues exist within the context of both national and international developments in InfoSec and the final part deals with these critical arenas. Technological trends will dictate responses to the possibilities of security violations, and there are clear directions for such circumstances in the case of ubiquitous computing. The final chapter summarizes and reformulates the new directions that researchers should take in InfoSec.
Keywords: Information Security Processes, Policies, Practices, Guidelines, Technical Versus Managerial InfoSec Research, Key Research Questions, Future Research Directions, Landscape of Information Security
The volume covers the managerial landscape of information security. It deals with how organizations and nations organize their information security policies and efforts. It covers how to strategize and implement security, with a special focus late in the volume on emerging technologies.
It shows wherein lie our strengths. It also shows where there are weaknesses. It points out our wealth of security technologies, particularly since the dawn of the Internet and 9/11. It likewise indicates as clearly as possible that the likely problem today is not the lack of technology, but its intelligent application. The management of information security is in its infancy, whereas the development of security technologies has reached a much more advanced state of maturity.
In attempting to cover the terrain of a broad subject that already has had a long history (however checkered), it is inevitable that much will be left out. So the subject matter selected for this volume calls for a rationale since there must be reasons why some topics were chosen and others were not, and the tale of the choosing says something about what should be valued most highly.
Before engaging in this exercise, though, it is useful to define and elaborate the term âinformation securityâ (InfoSec). The term âinformationâ receives the initial stress since we feel strongly that the rendering of data into meaningful statements and comparisons, which we take to be information, has received light attention in both the academic and trade presses. Most of the work on security has been at the technological level, the level of protecting data bits and bytes from unauthorized interception and misuse while little work has focused on protecting these binary digits once they have been manipulated, formatted, and stored for managerial use. There are volumes of work on encryption algorithms and how to make these unbreakable, for example.1 Hence the prevalence of terms in this technical literature on technologies described under rubrics like âdata/database security,â âcomputer security,â âcyber/Internet security,â and ânetwork security.â
In short, information is a managerial and organizational tool, and the protection of information from the managersâ (and organizationsâ) point of view has not been subject to the same intense scrutiny as have security technologies. Not only are the policies that protect this information much less frequently discussed, but the processes that lead to effective policies are even less favored by scientists and practitioners. Broad social issues, such as international laws, standards, and agreements that affect security of information, are part of a wide range of environmental issues that also receive scant attention. There are numerous technical working papers dealing with such matters, but assessments of this scattered work have not been forthcoming. Many of these papers have direct organizational impacts, but even those with indirect effects bear watching and understanding.
Focusing on organizational needs, therefore, is the first way in which we scoped the topics covered. What we know at this time and where research should be moving in the future to address lightly examined areas represent the basic goals of the volume.
The term âsecurityâ cries out for some definition as well. By security, we most often mean the protection of assets from unauthorized use, but the term is often extended to cover situations where mechanisms to protect assets are similar whether the damage that is inflicted comes from either a malicious, accidental, or a natural source. Organizations need to protect themselves from information losses whether these are caused by a terrorist or a tornado. Either will physically wipe out a firmâs data center. The recovery procedures are only distinctive in terms of whether insurance or criminal investigations require a forensic analysis. In both cases, there would be loss of life of mission-critical employees as well as loss of information and the ability to produce information. As tragic as such events are, it would be a further loss if stakeholders who depend on the firmâemployees and their families, shareholders, suppliers, customers, and the surrounding communitiesâwere to continue to suffer from organizational unpreparedness.
Thus security as we define it includes business continuity planning, especially regarding information. Malicious elements need to be considered in scenarios in this planning effort, but equal attention must be placed on accidental and natural causes.
PARTS AND CHAPTERS
The perspective taken in this book is at an organizational level. Whether governmental, commercial, not-for-profit, or other, decision makers in organizations confront the need to specify organizational policies, define organizational processes, and manage organizational practices that assure the organizationâs information security. Table 1.1 lists an inventory of the various influences that drive these decisions.
Perhaps at the most global level are the regulations that emerge from non-governmental organizations. These include the recommended standards and practices of professional organizations (such as the Information Systems Audit and Control Association, which promotes an InfoSec framework called COBIT), industry standards and practices (such as the MasterCard and Visa collaboration that mandated a payment card industry data security framework), standards set by international agencies such as the International Standards Organization, and international agreements on issues such as personal data privacy through agencies like OECD and the UN.
Governments, aside from being organizations that must set their own internal policies, processes, and practices, are organizations that drive laws and regulations requiring conformity within their territorial borders. These laws and regulations define computer crimes, including insufficient protection of private personal data and insufficient transparency of information necessary for informed public decisions about organizations (such as disclosure of investment risks). With their mandate for national security, governments may regulate advanced information technologies with military applications (such as cryptography) and set national policies to establish sufficient information security in key industry groups like finance, transportation, and energy. Such government regulation drives processes, policies, and practices in a very widespread range of commercial and private organizations (the effects of which may even be extraterritorial). Even the setting of internal government organizational processes, policies, and practices may have a widespread effect, as these may drive conforming requirements of government contracting organizations, or become regarded as emblematic standards of âdue careâ in InfoSec.
Table 1.1
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Non-governmental regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Organization |
| Economics of security |
| Costs and benefits |
| FunctionalityâSecurity tension (guns or butter) |
| Ethics of security |
| Mandated or optional (due care) |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious circle |
There are also internal drivers that determine organizational policies, processes, and practices. For example, improvements to organizational InfoSec usually require resources; an investment in InfoSec is therefore an economic decision. Costs and benefits are managed through risk analysis, and like any investment decision, improvements in InfoSec move forward under the shadow of their opportunity costs. Should the organization invest in improved information systems performance or instead invest in improved security for its existing systems? The âguns or butterâ nature of the decision often pits systems performance advances against systems security advances. These conflicting goals bring forward the ethical dimensions of decisions about organizational InfoSec policies, processes, and practices. Where InfoSec features are mandated by regulations, the ethical aspects are clear. But in organizational systems where InfoSec is not required by regulation, organizations are left to follow their own ethical lights: instituting InfoSec policies, processes, and practices because these represent the measure of due care that a wide range of stakeholders would regard as responsible management of information.
Information technology is itself a driver of InfoSec management processes. Not only do newer technologies bring challenging new problems for security, but security for existing technologies is a vicious circle of technical developments. New InfoSec technologies lead adversaries to develop new techniques to defeat the new security technologies, forcing the need for even newer and even better InfoSec technologies. This is a constant race for effective technical solutions in areas like computer security, network security, and cryptology.
Table 1.2
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
Situating the Parts of Our Volume Among the Drivers Influencing Organizational Information Security Policies, Processes, and Practices
| Part I. The Terrain of Information Security |
| Part II. Security Processes for Organizational Information Systems |
| Organization |
| Economics of security |
| Costs and benefits |
| FunctionalityâSecurity tension (guns or butter) |
| Ethics of Security |
| Mandated or optional (due care) |
| Part III. Processes for Securing the Extra-Organizational Setting |
| Non-Government Regulation |
| International treaties |
| International standards |
| Industry standards and practices |
| Professional standards and practices |
| Government Regulation |
| Computer crime |
| Privacy protection |
| Public disclosure requirements |
| National security |
| National information infrastructures |
| Government internal policy |
| Part IV. Forces and Research Leading to Future Information Security Processes |
| Technological |
| Computer security |
| Network security |
| Cryptology |
| Vicious Circle |
Indeed, the vicious circle involves more than just technology. The causal directions of the entire set of drivers are not straightforward. Various InfoSec events, like compromises and massive losses, occur within their contemporary frameworks, including the drivers noted in Table 1.1 and the various organizational InfoSec policies, processes, and practices. Such events lead to revisions in regulations and organizational values, as well as technologies. As a result, these drivers also set the stage for their own revisions, a form of self-remaking or autopoisis.
How does the work at hand fit into this landscape? We can ...
Table des matiĂšres
- Cover
- Half Title
- Title Page
- Copyright Page
- Table of Contents
- Series Editorâs Introduction
- Part I. The Terrain of Information Security
- Part II. Security Processes for Organizational Information Systems
- Part III. Processes for Securing the Extra-Organizational Setting
- Part IV. Forces and Research Leading to Future Information Security Processes
- Editors and Contributors
- Series Editor
- Index
Normes de citation pour Information Security
APA 6 Citation
Goodman, S., Straub, D., Baskerville, R., & Baskerville, R. (2016). Information Security (1st ed.). Taylor and Francis. Retrieved from https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf (Original work published 2016)
Chicago Citation
Goodman, Seymour, Detmar Straub, Richard Baskerville, and Richard Baskerville. (2016) 2016. Information Security. 1st ed. Taylor and Francis. https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf.
Harvard Citation
Goodman, S. et al. (2016) Information Security. 1st edn. Taylor and Francis. Available at: https://www.perlego.com/book/1630261/information-security-policy-processes-and-practices-pdf (Accessed: 14 October 2022).
MLA 7 Citation
Goodman, Seymour et al. Information Security. 1st ed. Taylor and Francis, 2016. Web. 14 Oct. 2022.